Portland officials have demanded Uber turn over information about a massive 2016 data breach the company failed to disclose until last month.
The ride-hailing company on Nov. 21 disclosed a 2016 data breach in which hackers accessed files that included information on its drivers and riders. It also admitted it had kept the incursion under wraps for more than a year, rather than alerting affected customers, regulators or law enforcement.
In a letter sent to Uber’s CEO on Friday, Portland Commissioner Dan Saltzman said Uber had violated the city’s code by withholding information on the breach, and he demanded more information on how many Uber drivers and customers had been affected in the city.
Saltzman, who oversees the city’s transportation department, suggested the failure to notify the city of the breach might be a violation of city code, which requires companies like Uber to protect personal data and notify the city in the event of a breach.
And although Uber has been in hot water with the city before — for operating illegally in Portland before it was sanctioned, and later when it was disclosed that it used software at that time to avoid city regulators — it has maintained that it’s abided by the city code since it was amended to legalize Uber’s business.
"Uber’s past actions in the City of Portland have been severely problematic," Saltzman wrote in the letter to Dara Khosrowshahi, Uber’s chief executive. "To learn now that Uber deliberately concealed a massive data breach involving both customer and driver information for a period of over a year adds to the already strained relationship the City has with Uber."
Saltzman demanded that Uber turn over more information about the breach, including the number of drivers and riders affected, its policy on reporting security breaches and assurances that it had not violated any other city regulations or state laws since January 2016, when code legalizing Uber’s business model took effect.
An Uber spokesman declined to provide that information to The Oregonian/OregonLive, instead providing a statement: "We take this matter very seriously and we are happy to answer any questions regulators may have. We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to re-gain the trust of consumers."
Uber reported to the Oregon Department of Justice that 1,300 Oregon driver’s license numbers — presumably belonging to Uber drivers — had been accessed in the breach. Uber has contacted drivers directly about the breach and offered a year of credit-monitoring service through the credit bureau Experian.
The Justice Department said it is participating in a multi-state investigation involving the Uber breach.
It’s unclear how many Uber riders in Oregon were affected by the breach.
Uber said 57 million users worldwide might have had information exposed, including names, email addresses and mobile phone numbers. It said riders’ trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth don’t appear to have been accessed.
Portland already sparred with Uber this year over the company’s use of the "Greyball" software to avoid regulators in 2014. The city closed the investigation after finding no wrongdoing since that time.
— Elliot Njus
Rush-hour tolls could come to I-5 and I-205, but they are far from certain, and Washington officials are trying to stop them.