Alternate headline: "New CEO discovers scandal covered up by predecessor, launches internal investigation and announces findings to the public once the investigation is concluded"
Even if you only count the 2 months since Khosrowshahi learned about the 2016 hack, Equifax still took less time (6 weeks) to do its own secret investigation of its hack and publish the results - and yet it was vilified by the public and press for its slow disclosure.
Plus, Khosrowshahi told Softbank about the ongoing investigation 3 weeks before the rest of us - while this information was important to Softbank, it would also be important to any other potential investor, and we do not know whether any others were indeed told about it.
6 weeks really isn't a long time. They had to locate a pentesting firm that specializes in forensic investigation, schedule it, conduct it, then decide what to do.
I know it's an unpopular opinion. But both Uber and Equifax took similar amounts of time.
Uber had a new CEO stepping in and learning how to run the company from zero, and this was one of the many, many things he had to worry about; a threat that was reportedly neutralized.
Equifax leaked the social security information and credit histories of an enormous number of Americans, when their main job is to keep it safe and available.
It’s a little silly to compare the timelines. They’re just completely different.
Depends who equitable the split from the old CEO was. Is he retiring out of his own free will and handing over the company to trusted successor he helped pick or is he being forcefully ousted by the board after a massive bitter proxy battle.
Furthermore, it is not as if the breach had just been discovered: Uber had already investigated the issue to the point where it paid the blackmail, so I suspect the then chief of security and his staff already knew enough to make a responsible, if preliminary, disclosure - and to initiate the credit-monitoring program.
And? These companies are exploiting psychology in all humans (at least on average). To put ownership on the consumers only is very silly. It's like excusing the behavior of sugar, alcohol, tobacco, pharmaceutical, etc. and saying "If you consume it's your fault" and ignoring the manipulative practices of these organizations.
This media then blames everything on Facebook and twitter and google, and write an article everyday about congressional hearing and how Americans are not trusting tech any more.
He should have come forward with it immediately while still conducting the internal investigation. Not only do customers deserve to know as soon as possible, but it would have established trust in him as CEO and cemented that Kalanick needed to be gone.
You mean he should have told those affected without knowing what actually was leaked, the scope and impact of the leak, and the whereabout of the leaked data, or making sure there is enough safeguard in place so no one can repeat the same attack? Does not sound more responsible?
The keyword is responsible disclosure, not just disclosure.
Once they knew any something was leaked, no matter what, the responsible move is to inform everyone to give them a chance to lock down their shit. More time or knowledge of where the data is won't save anyone.
As for the "other attacker" excuse, how would that work? Just from knowing that data was leaked no new attacker can deduce the weakness used.
The PR damage to the company would be much greater due to people speculating a worst case scenario. Followed up by the fact people wouldn't care anymore when the investigation is finished.
I completely agree. Taking months to let tens of millions of people know their information was compromised isn't acceptable, no matter whether or not you know all the details about it. (The obvious exception being an as-of-yet insecure point of attack.)
California law requires notification in "the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."
This sounds like something well, well beyond that. So as far as I'm concerned, the new CEO seems like nearly as much of as scofflaw as the old.
Dara's response: "None of this should have happened, and I will not make excuses for it ... While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
I think the headline is fair. In the UK, the ICO requires [1] that breaches are notified within 24 hours of a breach being established. 2 months is a long time and the media is right to paint a negative picture. I suspect it is similar within the EU and I hear it is only going to get stricter once GDPR comes into force next year.
i think there is some blame to be had on the current ceo, dara khosrowshahi... but at this point how is kalanick still allowed to be on the board? this is hugely damaging to uber, and quite possibly illegal. not grey area stuff.
It is a way to show confidence that it won't happen again. The same's true for a new CEO announcing this. Uber is on a "flattery strike" (for lack of a better word; sry I am not native English) on the general public. They're trying to win our hearts. I see their employees also regularly commenting here, excusing themselves and explaining the situation.
If you're being blackmailed you always lose since a problem with blackmailing is that it doesn't stop as the evidence isn't destroyed. Its like a fork in chess, two evils. However, generally speaking (excluding political motivations such as Clinton leaks), the blackmailer wins nothing by releasing the information. So you can let them win by giving in to paying. I guess this is game theory.
True, if you pay the evidence might seemingly get destroyed (or a seemingly "original copy" of it), but you can't be sure (there might be a "copy of that copy"). Another example of this is revenge porn or CP for that matter. Yet another example of copyright infringement/piracy.
Once its out in the open, it will keep getting distributed. The cat's out of the bag. Its a problem of the digital age. As a society we haven't quite coped with this issue yet and privacy invading seemingly free services are clouding our judgements.
Why though?
I he felt he was not ready for the position, he should have applied for a lower one. Though the lower you go, the more you are expected to perform and if you don't, face the consequences....
It takes time for a leader to get to know a new organization when the join it. They are not privy to that level of insider information before getting inside. Whether a CEO is ready for a position is a question of skills, not a question of knowledge. During the first few months, the focus is on gaining knowledge, not skills. So yes. Give the guy a break. This could in no way have been expected to be high on his priority list if the threat was already dealt with.
Take a single issue we, as outside observers, know Uber is wrestling with... saaaaay ongoing litigation about self-driving cars, or internal sexual harassment and cultural issues, or national legal campaigns that threaten their business... two months is veeery little time to get a good handle on them.
And that's not even considering the time a CEO needs just to take a single meeting with relevant internal stakeholders and leaders, and get their outlook settings dialed in.
