Uber fired its chief security officer and another employee this week following a huge data breach the ride-sharing company has been hiding for a year. Former head of security Joe Sullivan reportedly led the response to the hack, which happened when two attackers tapped Uber employees’ Github and Amazon Web Services information to steal a trove of rider and driver data. The company’s “solution” was not to report the breach properly and to give the hackers $100,000 purportedly in exchange for deleting the data.
How bad is it?
The hackers stole information about 57 million customers and drivers, including around 600,000 driver’s license numbers. The hacked data included names, email addresses and phone numbers, but Uber says the hack didn’t get Social Security numbers, credit cards or data about your location during trips.
Seems like a mess.
Uber has been here before. The company was hacked in 2014 and fined $20,000 for failing to disclose the security leak. While negotiating with the feds for a privacy settlement, Uber was simultaneously trying to pay $100K to hackers in exchange for deleting info about 57 million people.
EDITOR'S NOTE: This article provided courtesy of TheBlaze.
AARON TAM/AFP/Getty Images
This is a rush transcript and may contain errors.
DOC: What would you do if you ran Uber? How would you handle the news that hackers got the personal information on 57 million customers and employees? What would you do if you were an investor in the company and you had discovered that managers hid that breach from the public, including those people who had their information stolen, customers, employees?
Think about that a moment. You ran the place. How would you handle that? How would you have handled it before, when you just found out about the hack? How would you handle it now after you found out that people tried to cover it up?
Hi there, it’s Doc Thompson. I’m in for Glenn today. There’s a specific reason why I’m asking you how you would handle it. And I’ll open up the phone lines in a couple of minutes. 888-727-BECK. I’ll also check out some of the tweets you sent to the program.
It’s @DocThompsonshow. But there’s a specific reason I really want to get your thoughts on this. Challenge yourself for a moment. What would you do if you ran Uber? Now, you’re probably thinking to yourself, well, I wouldn’t let it get to this point.
Let me explain what happened. Let me give you the details. And I challenge you to challenge yourself and come up with an answer in your own head, maybe share it with somebody that’s next to you right now. Discuss it with them. And there’s a reason I’m asking, that I’ll get to in a moment.
Let me give you the details. More than a year ago, hackers got access to Uber’s database. And they stole the personal information of about 50 million Uber users. If you used Uber, it may have been you. Name, email addresses, phone numbers. This is what they say they got access to. 50 million users.
And they got personal information of about 7 million Uber drivers. That includes about 600,000 driver’s licenses.
So if you’re a driver, you may have gotten that information that way, including your driver’s license and number. Now, they claim that no Social Security numbers were breached. No credit cards were breached. They didn’t get that information. But come on.
Come on. They got all that other stuff. Can we really believe them, knowing that for a year, they didn’t tell anyone about this? Even the people affected. Isn’t that a moral breakdown, if not a legal breakdown? I would think so. Is it right that they wouldn’t tell the people affected by it?
Now, I know why. They’re trying to protect the company. And I can respect that on a certain level. But don’t you care about your customers. I’m not blaming you for the breach. There could have been problems. Maybe you did everything you could. Through no fault of your own. There was no failure of security. But they got the information. Not blaming you for that. I’m blaming you for the cover-up and why you didn’t share it. I understand protecting the company.
What would you do if you were an investor right now in that company? Because as an investor, it’s your company. You run that company. You own it. Yeah, there’s managers. CEOs. CFOs. Different, you know, people that run it on a daily basis. But you own the company. Ultimately, the buck stops with you and the other investors. What would you you do if you ran the company?
Uber even said they had a legal obligation to report the hack to regulators and to the drivers whose information was stolen. But they didn’t.
They didn’t do it. In fact, when this breach happened, Uber was at the time negotiating with federal regulators about other privacy violation.
So they knew of this. It was on their front burner. This is what they were dealing with. Then suddenly the breach happens. And they start covering it up. Uber paid other hackers to delete the data and keep the breach quiet, just to cover it up. What would you do now, knowing that, if you were an investor?
The new CEO, Dara (sound effect), pretty sure that’s how you pronounce her name, she said, none of this should have happened, and I will not make excuses for it. We’re changing the way we do business.
Good. I’d like some details. But good, good.
She said, at the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access. Good, good.
Good. That sounds great. But what specifically are you going to do moving forward? And who will be punished? See, as an investor, if you owned, even in part, that company, I would want people held accountable, if there were things done wrong.
Obviously, the cover-up, that was wrong. I would want specific, real examples. I want a definitive plan of what you’re going to do moving forward to make sure that doesn’t happen again, right? Is that what you would want?
Would you want people to be held accountable, and you want to know specifically what will change in the future? That’s what I would want too.
The reason I asked that is because you may not be an owner of Uber. You may not own stock. But you do own the Veterans Administration. You and I own it.
We’re American citizens. We have a contractural and moral obligation to do what we said we would do, and that is to care for veterans. And I bring that up because the Veterans Administration has failed far more. And continues to fail far more than Uber ever has.
The Veterans Administration exposed millions of veterans’ information, repeatedly. Over and over again, over the last 15 years or so. They have done virtually what Uber did.
Again, they were hacked. The information. At one point, there was a database stolen. Over and over again, the Veterans Administration has been sloppy. Uber may not have even been sloppy with it. The way theirs was breached, two hackers got access to a coding site. So maybe they were sloppy or not, but the Veterans Administration has been sloppy. You own that company. So if you said what I would do if an owner of Uber, I would make sure that people were held accountable and I would want a plan for the future. Who has been held accountable? What is the plan for the future?
Over and over again, the Veterans Administration has failed us. But it’s far worse than breaching private information. There’s a new inspector general report this morning about the Veterans Administration.
And it confirms, among other things, that the Veterans Administration facility in Denver has been lying about wait times that track mental health care.
How many times do we have to read about this, as the owners, the people, who are ultimately in charge of saying what is right and wrong within our government? How many times do we have to hear about these stories, before we actually hold people accountable? And before we actually get a working plan for the future?
This has happened over and over again. Most recently, a former VA employee, by the name of Brian Smother claimed that the staff in Denver kept separate lists. The same thing that we had.
KRIS: We’ve heard that before.
DOC: Over and over again. Kris Cruz from The Morning Blaze joining me as well, who is a combat veteran, having served both in Iraq and Afghanistan, who suffers with PTSD, who has had his ankles replaced.
Kris, over and over again, this was the story. This was the big fail out of Phoenix, as a matter of fact, where veterans died. It had to do with the wait times. Number one, the failure is that veterans do not get the timely service that they need. The timely appointments that they need. But then covering it up. They covered up the wait times and had a separate list.
KRIS: It’s infuriating.
DOC: I don’t know what else it takes. How many times do we have to hear these stories?
KRIS: And not just that. I tried — Doc, I’m not the most healthy person out there.
DOC: Well, I think anyone that listens to The Morning Blaze knows that.
KRIS: Exactly. And one of the things, I have an issue with my heart burn. I get heart burns in the morning, and it’s frustrating.
DOC: But it’s chronic. And it’s almost debilitating.
KRIS: Exactly. So I was like, you know what, I got to get this shot. I don’t want to have an ulcer or something wrong with me. Because my body is telling me, hey, there’s something wrong with me.
DOC: Too much acid.
I called the VA in Orlando, Florida. And I was like, hey, I’m scared. You know, the syntax is no longer working. What can I do?
DOC: You got in and out, right?
KRIS: You can come in.
DOC: Oh, good job.
KRIS: February of the next year. And I was calling —
DOC: Were you calling in January?
KRIS: No, I was calling in July of the year before.
DOC: So you called in July, and they said, great, come in.
DOC: In February.
KRIS: In February. For something that I — that I’m worried because I got heartburn every single morning.
DOC: Like excessive.
And the medication says, if it prolongs two weeks or more, please contact your doctor because it could be something serious.
DOC: So they said — this is happening. And if this happens for more than two weeks, contact your doctor. And you contact. And they’re like, great. February.
KRIS: Great. We’ll see you in February of 2017.
DOC: Hey. Wow. That’s good.
KRIS: And I was like, are you kidding me?
They’re like, oh, we’re busy. But if somebody cancels, we’ll call you.
DOC: Who is canceling? When everybody is backlogged nine months?
KRIS: I was like, nobody is going to cancel.
DOC: This is infuriating. Think about when I asked you about owning Uber. Maybe you own a business. What if your kids acted this way — what if the guy who cuts your lawn. Maybe you’re not a business owner, but you employ people to do things from time to time around your house. Your veteran area and your dentist. Whatever it is.
If this is how they treated you and your information, you would demand accountability. And you would demand an answer moving forward, or you would, what? No longer do business with them.
I think it’s time we no longer do business with the Veterans Administration. It is time. It is shutdown.
Now, veterans out there, don’t for a moment think I abandon you. I’m not suggesting that we shut it down and leave all of you. No. It is a slow shutdown, rolling out over the next four or whatever years it takes, at the same time, offering veterans another plan, where the United States government — and by that, I mean American citizens pick up your health care fees. That’s it.
There’s the solution. We don’t need all of these people working within the administration. We don’t levels and levels of bureaucracy. We need money in the hands of those veterans, so they can get an insurance policy and go to the doctor. There are doctors everywhere, doctors that you can get in today, if you’re not in the Veterans Administration.
The veterans would be able to pick whatever doctor they want. That is the accountability. I’m calling for it now. Over and over. Breaches of security. Veterans being killed. Secret wait lists. This continues to happen. And nobody is offering a solution. You want a solution. Here’s the solution: results. We demand results.
No more left versus right, Democrat, Republican, unions or any of that crap. Results. All I want to hear is results.
You get in the debate with somebody. You’re at Thanksgiving tomorrow, and it comes up. What are the results?
What has happened? What are the results? Well, we fired — what were the results? Well, we got a new director. What were the results?
This is not two years of results we can look at. We can look at the last 50, 60. The Veterans Administration has been around since the 1930s. Prior to that, the Veterans Bureau for 10 years, and they failed. Over and over again. Every couple of years. Massive failures. What are the results? All I want, what are the results?
We’ve got a track record of continuous failure. What are the results? Great. There’s no denying that.
Now, moving forward, if it is anything like we continue to do, well, we’re going to get a new — no, that hasn’t worked. We’ll change — that hasn’t worked. Shut it down. Give veterans the money or the policies they need to get the health care. And then get out of the way.