Uber is going to have to explain to Congress why it hid the 2016 data breach that affected 57 million users

The questions — sent by Democrats and Republicans alike — could carry severe legal repercussions for Uber.

Uber is facing fresh questions from the U.S. Congress after it initially suppressed details about a data breach that affected more than 57 million of its drivers and riders in 2016.

In a series of letters sent to the ride-hailing company on Monday, Democrats and Republicans alike pressed Uber to detail why it hadn’t informed customers sooner, whether it has spoken with law enforcement agencies about the matter and what exactly it’s doing to help drivers whose sensitive data was stolen.

To all of the lawmakers that wrote Uber, though, the incident also amounted to just the latest misstep by a tech giant that’s repeatedly faced a litany of government probes for its controversial business practices.

It’s not just that the company “concealed the breach without notifying affected drivers and consumers,” began a group of four Republicans, led by Sen. John Thune, in their note to the company Monday. It’s that “prior privacy concerns at Uber” make it “a serious incident that merits further scrutiny.”

Asked about the letter, an Uber spokesman said the company has “been in contact with members of Congress and the relevant committees to inform them of the situation,” adding: “We are working to respond to their inquiries and address their concerns.”

The barrage of criticism Monday came days after Uber revealed that the company — at the time under the leadership of Travis Kalanick — fell victim to a major security breach in 2016 and paid the hackers a $ 100,000 ransom to transfer the stolen data back. The information taken included names, phone numbers, email addresses, and in the case of 600,000 of its drivers, their license data, too.

In sharing those findings last week — perhaps hoping to do so under the cover of the Thanksgiving holiday — new Uber CEO Dara Khosrowshahi said that the company’s chief security officer had been fired. Uber also added new security aides to help it further investigate the breach.

Still, Khosrowshahi’s apology hasn’t satisfied federal regulators, including Thune and three other Senate Republicans, who lead key committees that oversee tech, telecom, finance and data security.

In their letter, sent Monday, the lawmakers demanded that Uber detail a full timeline as to what it discovered about the breach, as well as which state and federal law enforcement or regulatory agencies the company informed about the incident. They also asked Uber to assure that riders’ and drivers’ other critical, sensitive information had not been stolen.

Among lawmakers’ additional concerns: Federal officials use Uber, so Senate Republicans are trying to “identify and mitigate potential consumer harm and identity-theft-related fraud against federal programs,” they wrote.

Uber’s replies could carry serious political and legal repercussions. Forty-eight states have laws on their books that require companies to inform consumers promptly whenever their information has been stolen — and in many cases, the theft of Uber drivers’ license numbers would have required the ride-hailing company to make the breach public. To that end, at least five states’ attorneys general are investigating Uber on related grounds, Recode first reported last week.

Meanwhile, the four Republicans asked Uber if it had disclosed details of the breach to the Federal Trade Commission. The agency had been investigating Uber at the time of the incident in 2016 for another, unrelated privacy and security mishap. If Uber did not inform the FTC, it could face additional penalties.

Echoing some of those same concerns was Democratic Sen. Mark Warner, who sent his own letter to Uber on Monday. In asking for more information about why it hadn’t disclosed the breach sooner, he also pressed Uber to explain why it didn’t have a more secure system to handle payments.

Warner further demanded that Uber share how it managed to find the hackers in the first place. While he acknowledged that the company could have discovered the criminals using forensics, Warner said that Uber’s “past pattern of conduct” still causes him to wonder if the ride-hailing app essentially tried to “hack back” its hackers. That’s illegal under federal law, Warner reminded.

Once Uber found the hackers, though, it paid them a $ 100,000 ransom and required them to sign a nondisclosure agreement. To Warner, that “thwarts law enforcement’s ability to bring criminal hackers to justice.”

Recode – All

SoftBank will try and buy shares of Uber at a 30 percent discount

It proposes a $ 48 billion valuation for the ride-hailing company.

SoftBank is preparing to buy shares of Uber at a price that values Uber at only $ 48 billion, a steep 30 percent discount rate for ownership in the company, which was last valued at almost $ 70 million.

That’s in line with what Uber investors were expecting; Recode reported this weekend that the price could be as low as $ 48 billion or as high as $ 52 billion. The $ 48 billion price, confirmed by a person with knowledge of the figure, will however raise concerns about whether the secondary sale will succeed — SoftBank needs to accumulate 14 percent of the company’s shares to trigger the so-called “tender offer.”

Several investors have said privately that they would be unlikely to sell at such a rate. Investors can often buy shares of a company more cheaply on secondary markets — from existing investors — than they can by buying new shares in the company.

Here’s our rundown, handicapping who could sell and who the deal hinges on.

If the price in sufficiently high and SoftBank can’t cobble together a 14 percent ownership stake, the Japanese conglomerate could try and raise its bid in order to attract enough sellers. This first round will run for 20 business days.

The full details will be circulated to shareholders on Tuesday. The $ 48 billion price was first reported by Bloomberg.

Recode – All

The city of Chicago is suing Uber for failing to disclose the breach of 57 million users’ data

The city said Uber did not correct security vulnerabilities in its system as it agreed to after a previous data hack.

The city of Chicago has filed a lawsuit against Uber for failing to disclose a 2016 data breach that affected 57 million of its users.

The lawsuit comes just days after the Illinois attorney general’s office told Recode that it was opening an investigation into the company.

In addition to failing to notify users and the public about the information that was exposed, the company paid the hackers $ 100,000 to delete the data and subsequently had them sign nondisclosure agreements. The city further alleges that the ride-hail company failed to correct security vulnerabilities that led to a previous data breach in 2014.

The complaint reads:

“After the details of Uber’s May 12, 2014 data breach were revealed to the public, Uber was investigated by a number of state and federal regulators that were concerned about its inadequate data security practices. Uber ultimately promised to bolster its data security policies by, inter alia, adopting protective technologies for the storage, access, and transfer of private information…less than a year later the same failures led to a breach that was one thousand times worse.”

The city, which is also suing Uber on behalf of Illinois residents, is asking for a series of monetary damages in addition to a jury trial. The city has asked that a judge fine Uber $ 10,000 a day for each day that it violated the state’s ordinance on public information disclosure.

The city is also asking for the court to levy a $ 50,000 fine against the company for violating the Illinois Consumer Fraud Act.

In addition to Illinois, at least four other states — Massachusetts, Missouri, New York and Connecticut — told Recode that they would investigate the matter, after Uber revealed that the intrusion exposed names, addresses and driver’s license numbers in some cases.

Additionally, the company is facing a series of questions from the U.S. Congress over why it took so long to disclose the hack. Some of those lawmakers asked for a full timeline of what the company discovered about the breach.

Others, like Democratic Sen. Mark Warner, who sent his own letter to Uber on Monday, asked Uber how it managed to find the hackers in the first place. Given Uber’s “past pattern of conduct,” Warner wondered if the company tried to “hack back” the hackers, which is illegal under federal law.

We’ve reached out to Uber and will update when we hear back.

Here’s the full complaint:

Recode – All

Recode Daily: Politically conservative Meredith Corp. bought Time Inc. with $650 million from the politically conservative Koch Bros.

Plus, questions about those “pro-repeal” net neutrality comments, Cyber Monday emerges from Black Friday’s shadow, and the backlash from that “Nazi next door” profile in the New York Times.

Backed by a $ 650 million cash infusion from the politically conservative Koch brothers, the politically conservative Meredith Corp. has bought Time Inc., the publisher of once-premier glossy titles including Time, Sports Illustrated and People. Charles and David Koch have long sought to shape political discourse through their support of nonprofit organizations, universities and think tanks, but have never owned their own media company; they have gone on the record saying they’re investing in the magazine business because it’s a good investment — not because they want media outlets to carry their conservative messages. [Peter Kafka / Recode]

Net neutrality supporters have a strong legal case to overturn FCC chairman Ajit Pai’s proposed rules repeal in court; the agency is trying to force a vote on its plan on Dec. 14. Analysis of the FCC net neutrality comments found that more than one million pro-repeal comments may have been faked, with 99 percent of the organic comments in favor of keeping rules. FCC Commissioner Jessica Rosenworcel weighed in with a frankly worded LA Times op-ed, saying, “I’m on the FCC. Please stop us from killing net neutrality.” [Tim Wu / The New York Times]

Today is Cyber Monday, which is anticipated to generate more retail income than Black Friday. Some shoppers were surprised to find un-crowded Targets, Best Buys and Walmarts when they dutifully showed up prepared for Black Friday mobs. That’s because the action has been spread out for nearly the full week and was already happening on mobile phones and tablets, where shoppers spent $ 2.9 billion on Thanksgiving, an 18 percent increase over last year; consumers are expected to spend $ 107.4 billion online this holiday season, up 14 percent over last year. [Jason Del Rey / Recode]

On Black Friday, HBO was the first advertiser to test Snapchat’s new ad format in the U.S. — HBO’s Promoted Story told viewers to stay home and watch “Game of Thrones” instead. Promoted Stories let advertisers pay to push their Stories to more users, and because they are country-wide, a brand could push their ad to all Snapchat users in the U.S. [Kurt Wagner / Recode]

The New York Times published a big profile of a white supremacist, the Nazi sympathizer next door.” Then, answering an outpouring of criticism, the NYT took 706 words to responded to everyone who hated its story about the “polite and low-key” American Nazi. Then the Atlantic objected, too. And Quartz … [Theodore Schleifer / Recode]

New Uber CEO Dara Khosrowshahi talks about his family’s immigration from Iran amid the 1978 revolution — and when he first felt like an American. Khosrowshahi, who came to America at age 9, believes that his background will help him reform Uber’s toxic culture, so, “In contrast to his callously confrontational predecessor, [he] understands what it’s like to be an outsider.” [Steven Levy / Wired]

Here’s why you’re reading this email newsletter: They work. The Washington Post has more than 70 newsletters alone, focusing on topics as varied as politics, faith and parenting (it even has a newsletter that features the best comments). And monetization efforts play second fiddle to a more important business consideration: Driving and retaining digital news subscriptions. [Rob Tornoe / Editor & Publisher]

Top stories from Recode

Will Tesla disrupt the trucking industry?

The Verge’s Tamara Warren breaks down what’s the deal with those Tron-looking trucks (and why they have no mirrors) on Too Embarrassed to Ask.

The company behind Pokémon Go has a Harry Potter game in the works — here are some unsolicited suggestions from a Potthead.

Dear Niantic: Please don’t screw this up.

How LinkedIn co-founder Reid Hoffman would fix social media.

Hoffman, now a general partner at Greylock partners, talks with Kara Swisher on the latest episode of Recode Decode.

This is cool

Trolling Trump with the cover of Time magazine.

Recode – All

How LinkedIn co-founder Reid Hoffman would fix social media

Hoffman, now a general partner at Greylock Partners, talks with Recode’s Kara Swisher on the latest Recode Decode.

Humans frequently say insulting things to one another, and technology can’t “solve” that. But tech companies can and should find ways to make their platforms healthier and more positive, LinkedIn co-founder Reid Hoffman says.

“These are all private businesses, and you can say, ‘Look, if this is your business, you can take it elsewhere,’” Hoffman said on the latest episode of Recode Decode, hosted by Kara Swisher. “That happens in hotels, happens in online stuff. Articulate something around that! ‘This is the way we articulate our opposition to hate speech and hatred: We enable discussion, but we don’t enable oppression of violence.’”

Swisher interviewed Hoffman at “Never Is Now,” an event about anti-Semitism run by the Anti-Defamation League in San Francisco, earlier this month. Hoffman, now a general partner at Greylock Partners, is also the host of his own podcast, Masters of Scale.

You can listen to Recode Decode on Apple Podcasts, Spotify, Pocket Casts, Overcast or wherever you listen to podcasts.

On the new podcast, Hoffman explained why he believes tech companies should issue regular report cards about their own values and how they’re working to advance them. Much like the increasingly common reports on how diverse a company’s workforce is, Hoffman says they can make a difference by turning positivity into a metric to optimize for.

“I don’t think the things we’re doing should be, ‘Oh, we blocked x-thousand pieces of bad content,’” he said. “Great! That’s fine. But also, what are you doing proactively? What are you doing to try to create more compassion, more interaction, more mutual understanding? Creating a simple report structure, that could then be part of how companies report, is a really good idea.”

Not every platform would report in exactly the same way — but having a common report would point them in the same direction, at least.

“That would probably be implemented in a different way on Reddit,” Hoffman said. “It could be, for example, the ratio of positive-sentiment conversations to negative-sentiment conversations. They would have to decide themselves, ‘This is who we are, this is what we’re about, these the metrics we’re tracking and we’re being open about those metrics, so that you guys can hold us accountable: Are we having the right impact on society?’”

If you like this show, you should also sample our other podcasts:

  • Recode Media with Peter Kafka features no-nonsense conversations with the smartest and most interesting people in the media world, with new episodes every Thursday. Use these links to subscribe on Apple Podcasts, Spotify, Pocket Casts, Overcast or wherever you listen to podcasts.
  • Too Embarrassed to Ask, hosted by Kara Swisher and The Verge’s Lauren Goode, answers the tech questions sent in by our readers and listeners. You can hear new episodes every Friday on Apple Podcasts, Spotify, Pocket Casts, Overcast or wherever you listen to podcasts.
  • And Recode Replay has all the audio from our live events, including the Code Conference, Code Media and the Code Commerce Series. Subscribe today on Apple Podcasts, Spotify, Pocket Casts, Overcast or wherever you listen to podcasts.

If you like what we’re doing, please write a review on Apple Podcasts— and if you don’t, just tweet-strafe Kara.

Recode – All