By Jim Finkle and Heather Somerville
TORONTO/SAN FRANCISCO (Reuters) - Struggling ride-hailing firm Uber [UBER.UL] faces a fresh regulatory crackdown after disclosing it paid hackers $100,000 to keep secret a massive breach last year that exposed personal data from around 57 million accounts.
Discovery of the U.S. company's cover-up of the incident resulted in the firing of two employees responsible for its response to the hack, said Dara Khosrowshahi, who replaced co-founder Travis Kalanick as chief executive in August.
"None of this should have happened, and I will not make excuses for it," Khosrowshahi said in a blog post. (http://ubr.to/2AmxlQt)
Britain's data protection authority said on Wednesday that concealment of the data breach raises "huge concerns" about Uber's data policies and ethics.
"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies," James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner's Office, said in a statement. Current British law carries a maximum penalty of 500,000 pounds ($662,000) for failing to notify users and regulators when data breaches occur.
The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and license numbers of 600,000 U.S. drivers, Khosrowshahi said. Uber declined to say what other countries may be affected.
Khosrowshahi also said Uber had begun notifying regulators. The New York attorney general has opened an investigation, a spokeswoman said. Regulators in Australia and the Philippines said on Wednesday they would also look into the matter.
Long known for its combative stance with local taxi regulators, Uber has faced a stream of top-level executive departures over issues from sexual harassment to data privacy to driver working conditions, which forced its board to remove Kalanick as CEO in June.
In recent months, London's transport regulator stripped Uber of its license to operate citing the company's failure to deal with public safety and security issues, although Uber is appealing against the decision and the new CEO has held talks with Transport for London to resolve the stand-off.
The agency said it was seeking more information from Uber.
"We are pressing them for the full details of what has happened so that we can be satisfied that all the right protections are in place for the personal data of drivers and customers in London," a Transport for London spokesman said.
Britain's National Cyber Security Centre said it was working with other national authorities to determine how UK citizens may have been affected, but added that it has no information, so far, that customer financial details had been compromised.
WHO KNEW WHAT WHEN?
The breach occurred in October 2016 but Khosrowshahi said he had only recently found out about it.
Bloomberg News first reported the data breach on Tuesday.
But Kalanick learned of the breach in November 2016, a month after it took place, a source familiar with the matter told Reuters. At the time, the company was negotiating with the U.S. Federal Trade Commission over the handling of consumer data.
A board committee had investigated the breach and concluded that neither Kalanick nor Salle Yoo, Uber's general counsel at the time, were involved in the cover-up, another person familiar with the issue said. The person did not say when the probe took place.
Uber said on Tuesday it was obliged to report the theft of the drivers' license information and had failed to do so.
"There is no question that the previous management and security team at Uber failed in their responsibility to their drivers, to regulators, to justice and above all to customers," said Rik Ferguson, vice president of security research at software firm Trend Micro. "That’s a pretty long list".
There is no evidence of fraud against passengers as a result of the data breach, while drivers whose license numbers had been stolen are being offered free identity theft protection and credit monitoring, Uber said.
Two hackers gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on developing software code. There, the two people stole Uber's credentials for a separate cloud-services provider where they were able to download driver and rider data, the company said.
A GitHub spokeswoman said the hack was not the result of a failure of GitHub's security.
"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Khosrowshahi said.
Uber is negotiating with a consortium led by Japan's SoftBank Group (9984.T) for fresh investment that could be worth up to $10 billion, sources told Reuters earlier this month. SoftBank declined to comment on whether the security breach could lead it to renegotiate terms of its proposed deal.
Uber said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week over their role in the handling of the incident. Sullivan, formerly the top security official at Facebook Inc (FB.O) and a federal prosecutor, served as both security chief and deputy general counsel for Uber.
Sullivan declined to comment when reached by Reuters. Clark could not immediately be reached for comment.
Kalanick, through a spokesman, declined to comment. The former CEO remains on the Uber board of directors, and Khosrowshahi has said he consults with him regularly.
Although payments to hackers are rarely publicly discussed, U.S. Federal Bureau of Investigation officials and private security companies have told Reuters that an increasing number of companies are paying criminal hackers to recover stolen data.
Uber has a history of failing to protect driver and passenger data. Hackers previously stole information about Uber drivers and the company acknowledged in 2014 that its employees had used a software tool called "God View" to track passengers.
Khosrowshahi said on Tuesday he had hired Matt Olsen, former general counsel of the U.S. National Security Agency, to restructure the company's security teams and processes. The company also hired Mandiant, a cyber security firm owned by FireEye Inc (FEYE.O), to investigate the breach.
The new CEO has traveled the world since replacing Kalanick to deliver a message that Uber has matured from its earlier days as a rule-flouting startup.
"The new CEO faces an unknown number of problems fostered by the culture promoted by his predecessor," said Erik Gordon, an expert in entrepreneurship and technology at the University of Michigan's Ross School of Business.
(Reporting by Jim Finkle in Toronto; Heather Somerville, Joseph Menn and Stephen Nellis in San Francisco, Manolo Serapio Jr in Manila, Byron Kaye in Sydney, Sam Nussey in Tokyo and Eric Auchard in London; Editing by Lisa Shumaker, Stephen Coates and Adrian Croft)