Transportation technology services that allow anyone who passes a background check to transport strangers from one point to another have mushroomed in recent years, the first, most familiar and most successful one being Uber. Customers register contact information and credit card information with the company, and electronically transmit their locations. The company vets and collects data on those who register to drive for it.
There is no denying that, for people equipped to access such services, they are convenient, allowing customers to hail rides while indoors or outdoors and to have cars arrive, often, within minutes. The services, however and unfortunately, are less than reliable in other ways. Uber is facing an $8.9 million fine in Colorado after state regulators found the company had hired nearly 60 drivers with criminal records or serious motor vehicle offenses.
For our community, at least those of us who live in large frum enclaves, the option of a “heimishe” car service is much to be preferred, both for its safety and because it provides other community members income.
Another reason to be wary of wonder-technology transportation services became apparent last week, when Uber drivers and customers alike were stunned to learn that hackers had electronically accessed the personal information of 57 million riders and drivers.
What was worse was that the company paid hackers $100,000 to destroy the data. Worse still, the company only disclosed the breach now, although it took place last year. When it occurred, Uber did not tell either regulators or users that the information — which included names, phone numbers and email addresses — had been stolen. (It isn’t known for certain if more sensitive data like credit card numbers, bank account information, Social Security numbers or birthdays were compromised. The company says they weren’t.)
Whatever laxity enabled the breach, the company only compounded the problem by agreeing to pay the hackers — extortionists would be the accurate term. Doing so encourages the “business” of electronic extortion. It is a lucrative one. The cybersecurity firm Bitdefender estimates that “ransomware” payments by companies and individuals will top $2 billion this year.
The new revelation comes as Uber has been trying to salvage its reputation following a number of other high-profile controversies, including using special software to evade regulators, a court battle over allegedly stolen secrets from Google’s self-driving car division and a slew of complaints regarding drivers’ harassment of customers.
In January, moreover, Uber agreed to pay $20 million to settle Federal Trade Commission charges it misled drivers about how much they could make using the platform. The company also settled FTC allegations that it made deceptive privacy and security claims in August. Back in May, 2014, a different hacker accessed Uber data on more than 100,000 drivers. At that time, the FTC said Uber was not adequately monitoring employee access to customer information. That apparently didn’t change.
The man who revealed the most recent Uber data breach was its new CEO, Dara Khosrowshahi. To his credit, he stated clearly that “None of this should have happened, and I will not make excuses for it.” And he pledged, “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.” He said that the company had fired two individuals who led its security response.
Alarming as the recent breach is, it was not the largest such stealing of individuals’ personal information. Cybercriminals targeted Equifax earlier this year, compromising the personal information — including names, addresses and social security numbers — of over 145 million people.
Forty-eight states have security breach notification laws which require companies to disclose when hackers access private information. They include California, where Uber is headquartered.
State Attorneys General from New York and Massachusetts have opened investigations into the data breach. Connecticut Senator Richard Blumenthal is urging the FTC to take action against Uber and impose “significant penalties” on the company.
The private sector is also going after Uber for its lapse of security and responsibility. Within hours of the company’s announcement, it was hit with a class action suit claiming its drivers and passengers are at risk of fraud and identity theft as a result of the company’s negligence.
We live in a litigious and often over-regulated society. But cases of gross irresponsibility that compromise individuals’ privacy and security are rightly prosecuted in courts.
Whether Uber’s new CEO will be successful in turning the company’s reputation around will have to be seen. In the meanwhile, and even thereafter, whenever possible, we should consider less technologically advanced but more community-conscious alternatives.