TORONTO/SAN FRANCISCO (Reuters) – A newspaper advertisement for an Uber Technologies stock sale was juxtaposed on Wednesday with a report that the ride-service provider had covered up a data hack – something of a metaphor for Uber, a company with boundless investor interest, but whose penchant for rule-breaking has led to a series of scandals.
The stock sale advertised in the New York Times will enable Uber investors to sell their shares to Japanese investor SoftBank, a critical deal for the company whose problems included building software to spy on competitors and to evade regulators and being investigated in Asia for paying bribes.
Uber on Tuesday said that it had paid hackers $100,000 to destroy data on more than 57 million customers and drivers that was stolen from the company – and decided under the previous CEO Travis Kalanick not to report the matter to victims or authorities. Uber was first hacked in October 2016 and discovered the data breach the following month.
Chief executive Dara Khosrowshahi, who took the helm in August with the mission of turning around the company and overhauling its culture, acknowledged in a blog post that Uber had erred in its handling of the breach.
The timing of the disclosure could hardly have been worse.
The company is trying to complete a deal with SoftBank Group Corp in which the Japanese firm would invest as much as $10 billion for at least 14% of the company, mostly by buying out existing shareholders. SoftBank is advertising to find shareholders who want to sell.
Uber last month announced a preliminary deal for the SoftBank investment.
One question is whether SoftBank will now try to alter the price of the deal. One source familiar with the matter said SoftBank is planning to stick to its agreement to invest in Uber but may seek better terms. SoftBank has not yet made a final decision on whether to renegotiate, the source said.
Uber said on Thursday that it discussed the massive data breach with SoftBank ahead of going public with details of the incident.
Another question is the future of Kalanick, the co-founder who led Uber to becoming a global powerhouse but did so with aggressive and controversial tactics. He was forced out by investors in June who feared his leadership style would damage the company, although he stayed on the board and remains a significant shareholder.
A bitter battle among investors over how to resolve Uber’s problems led to a lawsuit by early investor Benchmark, which sought to oust Kalanick from any role. But a settlement was reached earlier this month to pave the way for the SoftBank deal, with Kalanick retaining his board seat and other rights.
Kalanick was made aware of the hack last November and was aware of the $100,000 payment, according to a person close to the matter. Kalanick has declined to comment. Uber did not respond to questions from Reuters on Wednesday.
Multiple investigations and lawsuits
The scope of the repercussions Uber will face for the October 2016 data breach began to take shape Wednesday with governments around the world opening investigations.
Authorities in Britain, Australia and the Philippines said they would investigate Uber’s response to the data breach. London’s transport regulator, which has been in discussions with the ride-hailing firm after stripping it of its license to operate, said it was pressing Uber for details.
Canada’s privacy watchdog said that it had asked Uber for details on the breach, though it had not launched a formal investigation.
Attorneys general offices in at least six US states along with the Federal Trade Commission (FTC) have announced they are looking into the matter. Some states are likely to go after Uber for breaking laws on data breach notification within a reasonable period of time.
At least two class action lawsuits have been filed against the company in the United States for failing to disclose the data breaches and causing potential harm to consumers.
Uber said that it has been in touch with the FTC and several states to discuss a hack and pledged to cooperate.
Legal experts said the company is likely to face limited financial fallout from data-breach lawsuits. Uber might succeed in squelching them outright because its agreements with both customers and drivers call for mandatory arbitration of disputes.
Uber fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, over their role in handling the hack.
The board of directors had commissioned an investigation into Sullivan and his team, which is how the breach was discovered. The board committee concluded that neither Kalanick nor Salle Yoo, who was general counsel at the time, had been consulted in the company’s response to the breach, according to a second person familiar with the matter.
It is unclear what the board of directors knew, if anything. Multiple board members did not respond to requests for comment.
“The scope of this breach is something the Uber board should have been briefed about and consulted on at the very least,” said Cynthia Clark, an associate professor of management at Bentley University. “It’s a monitoring issue and one of strategy and reputation.”
Clark said that these sorts of risks could affect Uber’s IPO, which the board has agreed will take place in 2019.
The company has begun overhauling its security practices with help from Matt Olsen, former general counsel of the US National Security Agency and director of the National Counterterrorism Center, CEO Khosrwoshahi said.
Uber in August settled with the FTC after the regulator found the company failed to protect the personal information of passengers and drivers, an agreement that requires 20 years of regular auditing of Uber’s data.
After this week’s disclosures, Uber can expect “more audits and more people inside of the company” from regulators, said cyber security attorney Steven Rubin.
(Reporting by Jim Finkle in Toronto and Heather Somerville in San Francisco; Additional reporting by Diane Bartz in Washington, Greg Roumeliotis in New York and Alastair Sharp in Toronto.; Editing by Jonathan Weber and Grant McCool)