Several US senators are troubled with Uber’s belated reporting of a 2016 data breach and demanding answers.
On Monday, four Republican senators sent a letter to the ride-hailing company, asking for additional details surrounding the breach, which affected 57 million users, but was only disclosed last week.
In the letter, the senators—John Thune, Orrin Hatch, Jerry Moran and Bill Cassidy—called the breach a “serious incident that merits further scrutiny.”
Also today, Democratic Sen. Mark Warner of Virginia sent a separate letter to Uber, which said he had “grave concerns” with how the company handled the breach.
Both letters pointed to media reports, which claim Uber paid the hackers behind the breach $100,000 to stay quiet and delete the stolen data. The ride-hailing company then remained silent on the matter for a whole year until its new CEO, Dara Khosrowshahi, learned of the incident, and decided to make it public.
“Uber’s conduct raises serious questions about the company’s compliance with relevant state and federal regulations,” Warner said.
Most states have laws that demand businesses disclose data breaches when they affect local residents. Why Uber decided to stay mum on the incident isn’t clear, but its previous CEO, Travis Kalanick, was notorious for trying to buck the rules.
In a statement, an Uber spokesperson said: “We have been in contact with members of Congress and the relevant committees to inform them of the situation. We are working to respond to their inquiries and address their concerns.”
Both letters include a list of questions, including whether the company sought to deliberately cover up the breach, if so why, and who authorized the $100,000 payment to the hackers.
The FTC and UK regulators are also investigating Uber’s handling of the breach.
The data stolen included names, email addresses and mobile phone numbers from Uber riders. Another 600,000 Uber drivers had their driver’s license numbers exposed. Uber hasn’t detected any misused tied to the affected accounts, but the company has been monitoring them with extra fraud protection. It also fired the two employees who led Uber’s response to the breach.