Uber’s Data Breach: Can the Company Course-Correct?
Investors and customers once tolerated Uber’s skirmishes with regulators as the price one pays for innovation. But that may no longer be so.
Ride-hailing app company Uber is not about to see any immediate loss of customers following recent disclosures that it failed to notify both regulators and the public about a huge data breach. But the company is facing serious longer-term threats to its dominant market position if customers worry about its safety compliance as the industry moves toward driverless cars, according to experts at Wharton and Northeastern University. The disclosures have prompted multiple investigations against Uber in the United States and in Europe, which will likely impact its $68 billion valuation as it prepares for an initial public offering in 2018 or 2019.
The disclosures came as Judge William Alsup of the US District Court in California began hearing a case in which Google parent company Alphabet has accused Uber of stealing its trade secrets on driverless car technology from its subsidiary Waymo. One revelation was that Uber delayed disclosing to regulators, consumers and drivers that hackers had stolen data on 57 million user accounts, including those of 600,000 drivers, in October 2016. A month later, Uber quietly paid the hackers $100,000 in ransom to destroy that data.
In a subsequent revelation, a letter from a former Uber employee that was read out loud in Judge Alsup’s court talked of a company unit that sought to collect competitors’ trade secrets, and of efforts to train employees to shield “unlawful schemes” from regulators. On November 28, Judge Alsup put off the Waymo-Uber trial, saying that the letter’s contents put Waymo at a disadvantage.
The hacking episode and the revelation of a clandestine unit to dodge regulators “fit into a pattern of problems at Uber, many of which do involve deception,” said Wharton management Professor John Paul MacDuffie, who is also director of the school’s Program on Vehicle and Mobility Innovation. “Each of these [incidents] are just going to chip away at Uber’s reputation and its hold on its customers.” Earlier this year, Uber had committed itself to strengthening its corporate culture following a report written by former US Attorney General Eric Holder.
“The reputational issues … really matter when a consumer is faced with trusting a machine with her safety and getting from point A to point B without fear of malfunction and/or compromise and the result is potentially physical dismemberment and death,” said Andrea Matwyshyn, professor of law and computer science at Northeastern University and an affiliate scholar at the Center for Internet and Society at Stanford University. “Trust and branding as [they apply] to choices by consumers will become increasingly relevant, and determine the winners and losers” in the ride-hailing apps that deploy autonomous vehicles.
MacDuffie and Matwyshyn discussed Uber’s troubles and their implications for the company and its industry segment on the Knowledge@Wharton show on Wharton Business Radio on SiriusXM channel 111.
Uber CEO Dara Khosrowshahi inherited those troubles after the company’s board ousted its controversial co-founder and former CEO, Travis Kalanick, in June 2017. “None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said in a statement.
Khosrowshahi noted that the company has “not seen evidence of fraud or misuse” related to the hacking, and that it is monitoring the affected accounts. He said the hackers did not steal customers’ credit card or bank account information, or Social Security numbers. For damage-control, the company has also fired two employees over the hacking incident, informed the affected drivers and offered them free credit monitoring and identity theft protection, and tapped a cybersecurity consulting firm for guidance on security processes.
The longer-term damage Uber could face is significant erosion in its customer base, last estimated at 40 million active users monthly. It has steadily ceded ground to its fast-growing rival Lyft, which has about 18.7 million monthly active users.
According to MacDuffie, the trust issue could hurt Uber “in any number of ways” such as being first with autonomous vehicle taxis, attracting talent, gaining regulatory support and signing partnerships with other companies to advance its business. He noted that Google, which was an early investor in Uber, is now partnering with Lyft through its Waymo subsidiary, whereas “[it] might have done that in the past with Uber.” Leadership in driverless cars is seen as critical in the next round of competition in the ride-hailing app segment, he added.
Although Kalanick is no longer CEO, his continued presence on Uber’s board has been a sticking point with many investors, including Benchmark Capital. Japan’s SoftBank, too, has reportedly sought corporate governance changes at the company before it invests money. At the same time, Kalanick has been trying to increase his influence on Uber, but “each of these revelations about him certainly makes it harder for him to do that,” said MacDuffie. Kalanick was CEO when the hacking incident occurred, and he authorized the ransom payment to the hackers. Under his watch, Uber had also agreed to a $4.5 million settlement with former employee Ric Jacobs, whose letter detailing Uber’s plans for corporate spying and regulatory evasion was read in court. A lawyer for Uber has subsequently said that the letter from Jacobs included “fantastical” claims intended to extort money from the company.
Meanwhile, Uber’s legal troubles are only widening. In the past week, probes into the data breach have been launched by the Federal Trade Commission, the New York State Attorney General and three European government agencies. Matwyshyn noted that the latest revelations come as Uber approaches a deadline in about a month to disclose to the FTC the security challenges it needs to remedy, as part of a settlement it had earlier struck with the agency. “The FTC will undoubtedly be revisiting its settlement agreement and Uber’s compliance with its agreed-upon terms,” she said.
Business Model in Question
Uber’s business model benefited from significant latitude in earlier times as its investors and customers tolerated its skirmishes with regulators in many US states and overseas as the price one pays for innovation. “A narrative about Uber in the early days was ‘Well, they’re doing something completely new. Innovators have to break some eggs. They can’t just follow all the rules,’” MacDuffie said. “There was a lot of willingness to say, ‘OK, this is not only something that maybe has to happen to bring about big innovation; it is a good thing.’”
However, all that patience has begun to wear away, MacDuffie noted. “Each of these scandals potentially affects a different set of customers who might have been willing to forgive Uber.” The allegations of sexual discrimination under Kalanick’s tenure, which hastened his exit, also continue to haunt it.
Matwyshyn described Uber’s set of problems as an “unforced error,” or the outcome of its own ill-advised actions and not because some competitor outsmarted it. She noted that Uber had an innovative idea with its ability to connect drivers and commuters “in a streamlined manner,” and that helped it create a “very loyal initial user base.” But the company’s “bull-in-the-china-shop” tactics with regulators as it entered new markets, how it responded to complaints from customers and drivers, and its handling of the recent security incidents have chipped away at the patronage it had built up, she added. “I wouldn’t say it innovated first and asked questions second, but it broke the rules first and asked questions second. That was not necessary because of the strength of their product.”
Uber also made a wrong move in paying the hackers to destroy the data they stole, Matwyshyn said. “It goes against the intuition that if you pay for criminals to discontinue their victimization of you, you’re setting up the wrong incentive structure” for the next potential data breach.” She noted that other victims of data breaches — such as Netflix and HBO — have refused to pay ransom money to hackers.
MacDuffie noted that Airbnb, the sharing economy innovator in the hospitality industry, has also faced harsh regulatory actions in many parts of the world. However, unlike Uber, Airbnb seems to be cooperating with regulators to rectify its practices, he said.
Going forward, Uber’s troubles may eventually set the company back on the right course with “a culture of self-scrutiny and stronger ethical self-analysis,” said Matwyshyn. MacDuffie agreed, and added, “One thing that helps with culture change is a deep existential crisis” where the realization is: “We may fail as a company.”
The views expressed in this article are the author’s own and do not necessarily reflect Fair Observer’s editorial policy.