12/7/2017 Ubers Data Breach: Can the Company Course-correct?

- Knowledge@Wharton

TECHNOLOGY

Ubers Data Breach: Can the Company

Course-correct?
Dec 01, 2017 North America Business Radio, Podcasts

Ride-hailing app company Uber is not about to see any immediate loss of customers
following recent disclosures that it failed to notify both regulators and the public about a
huge data breach. But the company is facing serious longer-term threats to its dominant
market position if customers worry about its safety compliance as the industry moves
towards driverless cars, according to experts at Wharton and Northeastern University. The
disclosures have prompted multiple investigations against Uber in the U.S. and in Europe,
which will likely impact its $68 billion valuation as it prepares for an initial public o ering in
2018 or 2019.

The disclosures came as Judge William Alsup of the U.S. District Court in California began
hearing a case in which Google parent company Alphabet has accused Uber of stealing its
trade secrets on driverless car technology from its subsidiary Waymo. One revelation was
that Uber delayed disclosing to regulators, consumers and drivers that hackers had stolen
data on 57 million user accounts, including those of 600,000 drivers, last October. A month
later, Uber quietly paid the hackers $100,000 in ransom to destroy that data.

http://knowledge.wharton.upenn.edu/article/how-uber-can-come-back-from-a-hack/?utm_source=kw_newsletter&utm_medium=email&utm_camp 1/5
12/7/2017 Ubers Data Breach: Can the Company Course-correct? - Knowledge@Wharton

In a subsequent revelation, a letter from a former Uber employee that was read out loud in
Judge Alsups court talked of a company unit that sought to collect competitors trade
secrets, and of e orts to train employees to shield unlawful schemes from regulators.
Judge Alsup Tuesday put o the Waymo-Uber trial, saying that the letters contents put
Waymo at a disadvantage.

The hacking episode and the revelation of a clandestine unit to dodge regulators t into a
pattern of problems at Uber, many of which do involve deception, said Wharton
management professor John Paul MacDu e, who is also director of the schools Program on
Vehicle and Mobility Innovation. Each of these [incidents] are just going to chip away at
Ubers reputation and its hold on its customers. Earlier this year, Uber had committed itself
to strengthening its corporate culture following a report written by former U.S. Attorney
General Eric Holder.

The reputational issues really matter when a

consumer is faced with trusting a machine with
her safety.
Andrea Matwyshyn

The reputational issues really matter when a consumer is faced with trusting a machine
with her safety and getting from point A to Point B without fear of malfunction and/or
compromise and the result is potentially physical dismemberment and death, said Andrea
Matwyshyn, professor of law and computer science at Northeastern University and an
a liate scholar at the Center for Internet and Society at Stanford University. Trust and
branding as [they apply] to choices by consumers will become increasingly relevant, and
determine the winners and losers in the ride-hailing apps that deploy autonomous
vehicles.

MacDu e and Matwyshyn discussed Ubers troubles and their implications for the company
and its industry segment on the Knowledge@Wharton show on Wharton Business Radio on
SiriusXM channel 111. (Listen to the podcast at the top of this page.)

Uber CEO Dara Khosrowshahi inherited those troubles after the companys board ousted its
controversial co-founder and former CEO Travis Kalanick in June 2017. None of this should
have happened, and I will not make excuses for it. While I cant erase the past, I can commit
on behalf of every Uber employee that we will learn from our mistakes, Khosrowshahi said
in a statement.

http://knowledge.wharton.upenn.edu/article/how-uber-can-come-back-from-a-hack/?utm_source=kw_newsletter&utm_medium=email&utm_camp 2/5
12/7/2017 Ubers Data Breach: Can the Company Course-correct? - Knowledge@Wharton

Khosrowshahi noted that the company has not seen evidence of fraud or misuse related to
the hacking, and that is monitoring the a ected accounts. He said the hackers did not steal
customers credit card or bank account information, or Social Security numbers. For
damage-control, the company has also red two employees over the hacking incident,
informed the a ected drivers and o ered them free credit monitoring and identity theft
protection, and tapped a cybersecurity consulting rm for guidance on security processes.

Casualty List

The longer-term damage Uber could face is signi cant erosion in its customer base, last
estimated at 40 million active users monthly. It has steadily ceded ground to its fast-
growing rival Lyft, which has about 18.7 million monthly active users.

According to MacDu e, the trust issue could hurt Uber in any number of ways such as
being rst with autonomous vehicle taxis, attracting talent, gaining regulatory support and
signing partnerships with other companies to advance its business. He noted that Google,
which was an early investor in Uber, is now partnering with Lyft through its Waymo
subsidiary, whereas [it] might have done that in the past with Uber. Leadership in
driverless cars is seen as critical in the next round of competition in the ride-hailing app
segment, he added.

Although Kalanick is no longer CEO, his continued presence on Ubers board has been a
sticking point with many investors, including Benchmark Capital. Japans SoftBank, too, has
reportedly sought corporate governance changes at the company before it invests money. At
the same time, Kalanick has been trying to increase his in uence on Uber, but each of these
revelations about him certainly makes it harder for him to do that, said MacDu e. Kalanick
was CEO when the hacking incident occurred, and he authorized the ransom payment to the
hackers. Under his watch, Uber had also agreed to a $4.5 million settlement with former
employee Ric Jacobs, whose letter detailing Ubers plans for corporate spying and regulatory
evasion was read in court. A lawyer for Uber has subsequently said that the letter from Jacobs
included fantastical claims intended to extort money from the company.

A narrative about Uber in the early days was

Well, theyre doing something completely new.
Innovators have to break some eggs.
John Paul MacDuf e

Meanwhile, Ubers legal troubles are only widening. In the past week, probes into the data
breach heave been launched by the Federal Trade Commission, the New York State Attorney
General and three European government agencies. Matwyshyn noted that the latest

http://knowledge.wharton.upenn.edu/article/how-uber-can-come-back-from-a-hack/?utm_source=kw_newsletter&utm_medium=email&utm_camp 3/5
12/7/2017 Ubers Data Breach: Can the Company Course-correct? - Knowledge@Wharton

revelations come as Uber approaches a deadline in about a month to disclose to the FTC the
security challenges it needs to remedy, as part of a settlement it had earlier struck with the
agency. The FTC will undoubtedly be revisiting its settlement agreement and Ubers
compliance with its agreed-upon terms, she said.

Business Model in Question

Ubers business model bene ted from signi cant latitude in earlier times as its investors and
customers tolerated its skirmishes with regulators in many U.S. states and overseas as the
price one pays for innovation. A narrative about Uber in the early days was Well, theyre
doing something completely new. Innovators have to break some eggs. They cant just follow
all the rules, MacDu e said. There was a lot of willingness to say, OK, this is not only
something that maybe has to happen to bring about big innovation; it is a good thing.

However, all that patience has begun to wear away, MacDu e noted. Each of these scandals
potentially a ects a di erent set of customers who might have been willing to forgive Uber.
The allegations of sexual discrimination under Kalanicks tenure, which hastened his exit,
also continue to haunt it.

Matwyshyn described Ubers set of problems as an unforced error, or the outcome of its
own ill-advised actions and not because some competitor outsmarted it. She noted that Uber
had an innovative idea with its ability to connect drivers and commuters in a streamlined
manner, and that helped it create a very loyal initial user base. But the companys bull-
in-the-china-shop tactics with regulators as it entered new markets, how it responded to
complaints from customers and drivers, and its handling of the recent security incidents
have chipped away at the patronage it had built up, she added. I wouldnt say it innovated
rst and asked questions second, but it broke the rules rst and asked questions second.
That was not necessary because of the strength of their product.

Each of these scandals potentially affects a

different set of customers who might have been
willing to forgive Uber. John Paul MacDuf e

Uber also made a wrong move in paying the hackers to destroy the data they stole,
Matwyshyn said. It goes against the intuition that if you pay for criminals to discontinue
their victimization of you, youre setting up the wrong incentive structure for the next
potential data breach. She noted that other victims of data breaches such as Net ix and
HBO have refused to pay ransom money to hackers.

http://knowledge.wharton.upenn.edu/article/how-uber-can-come-back-from-a-hack/?utm_source=kw_newsletter&utm_medium=email&utm_camp 4/5
12/7/2017 Ubers Data Breach: Can the Company Course-correct? - Knowledge@Wharton

MacDu e noted that Airbnb, the sharing economy innovator in the hospitality industry, has
also faced harsh regulatory actions in many parts of the world. However, unlike Uber, Airbnb
seems to be cooperating with regulators to rectify its practices, he said.

Going forward, Ubers troubles may eventually set the company back on the right course
with a culture of self-scrutiny and stronger ethical self-analysis, said Matwyshyn.
MacDu e agreed, and added, One thing that helps with culture change is a deep existential
crisis where the realization is: We may fail as a company.

All materials copyright of the Wharton School (http://www.wharton.upenn.edu/) of the University of

Pennsylvania (http://www.upenn.edu/).

http://knowledge.wharton.upenn.edu/article/how-uber-can-come-back-from-a-hack/?utm_source=kw_newsletter&utm_medium=email&utm_camp 5/5