U.S. Sens. Orrin Hatch (R-UT), Bill Cassidy (R-LA), Jerry Moran (R-KS), and John Thune (R-SD) on Monday requested answers from Uber Technologies on the firm’s late-2016 consumer data breach affecting some 57 million customers. Uber first publicly disclosed the breach last week.
In a letter to Uber CEO Dara Khosrowshahi, the senators requested by Dec. 11 answers to 11 questions on the breach and how Uber plans to alleviate any consumer harm done.
The senators asked for specific details on when Uber first learned hackers accessed consumer data stored in a third-party cloud service and a timeline of its investigation and response, what types of consumer data were compromised, steps Uber has taken to identify and mitigate potential consumer harm, and whether social security numbers were compromised, among other questions.
“The company maintains that its outside forensic experts have not seen any indication that customer trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were downloaded,” the letter said. “Nevertheless, the nature of the information currently acknowledged to have been compromised, together with the allegation that the company concealed the breach without notifying affected drivers and consumers, and prior privacy concerns at Uber, makes this a serious incident that merits further scrutiny.”
The senators’ letter noted that a January 2015 report released by Uber concluded the company had appropriate data security and incident response plans in place.
The letter pointed out that news reports saying Uber paid hackers $100,000 to delete compromised information have raised concerns that the company may not have followed its own policies or followed the letter and spirit of an August 2017 consent order Uber entered into with the Federal Trade Commission to address its privacy and data security practices.
Hatch serves as the chairman of the Senate Committee on Finance, and Cassidy as the chair of its Subcommittee on Social Security, Pensions, and Family Policy. The subcommittee’s jurisdiction includes protection of social security numbers and programs that are targeted by identity theft.
Thune serves as the chair of the Senate Committee on Commerce, Science, and Transportation and Moran serves as the chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, which oversee consumer protection and cybersecurity issues. Thune is also a member of the Finance Committee.