WASHINGTON – U.S. Jerry Moran (R-K.S.), chairman of the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security will convene a hearing titled, “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers,” at 2:45 p.m. on Tuesday, Feb. 6, 2018. The hearing will examine the October 2016 Uber data breach, the overall value of so-called “bug bounty” programs and other approaches to identify vulnerabilities, and the allegations of impermissible payments by Uber to conceal the security incident.
- Mr. Justin Brookman, Director for Consumer Privacy and Technology Policy, Consumers Union
- Mr. John Flynn, Chief Information Security Officer, Uber Technologies, Inc.
- Mr. Mårten Mickos, Chief Executive Officer, HackerOne, Inc.
- Ms. Katie Moussouris, Chief Executive Officer, Luta Security, Inc.
*Witness list subject to change
Tuesday, February 6, 2018
This hearing will take place in Russell Senate Office Building, Room 253. Witness testimony, opening statements, and a live video of the hearing will be available on www.commerce.senate.gov.
Chairman Jerry Moran
Good afternoon. Welcome to the Consumer Protection, Product Safety, Insurance, and Data Security Subcommittee’s hearing on “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers.” The Subcommittee will come to order.
Thank you all for being here today to discuss the October 2016 Uber data breach and the allegations against the company regarding impermissible payments to conceal a security incident through its bug bounty program. A bug bounty is a reward offered to someone outside of the company who identifies an error or vulnerability in a computer program or system in connection with a coordinated vulnerability disclosure program. The committee plans to examine the value of these innovative programs and other coordinated approaches to identify cyber vulnerabilities and prevent these types of incidents.
In late 2016, Uber was notified by anonymous sources that certain archived copies of its databases had been compromised. According to a letter in response to an inquiry made by this committee in partnership with the Senate Finance Committee, Uber’s security team “took immediate steps to respond to and limit the impact of the incident,” including identifying the parties responsible and paying $100,000 to them in exchange for assurances that the compromised data would be deleted.
An independent forensic analysis found that the exposed data included information pertaining to approximately 57 million users in total, from both drivers and riders. 25 million of those affected users were from the United States, and the driver’s license numbers of about 600,000 drivers were compromised in the breach.
The fact that the company took approximately a year to notify impacted users raises red flags within this Committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable. Additionally, my colleagues and I seek specific clarification as to what policy safeguards are currently in place to prevent bug bounty programs from being used as extortion pay-out mechanisms in the future.
These substantive concerns, however, should not completely outweigh the overall utility of this innovative, crowd-sourced approach that many industry actors have taken to proactively identify “chinks in their technological armor” through effectively administered bug bounty programs and other cyber vulnerability disclosure efforts.
As the American public becomes more and more dependent on innovative technologies to complete everyday tasks, cybersecurity vulnerabilities pose a direct threat, whether it be through a critical telehealth monitoring system, an autonomous vehicle transporting your family, or access to personally identifiable information. Cyber threats are continuously evolving with the technology we rely on.
My goal for this hearing is to find out exactly what prevented Uber from immediately notifying its users who were impacted by the 2016 breach, the specifics of the related payments and what steps Uber is taking internally to improve its notification protocols. I also want to have a larger discussion on how vulnerability disclosure programs, like bug bounties, can be used effectively to deter cyber threats from harming consumers.
It is my pleasure to introduce our panel today. Thank you all for being here.
Mr. John “Four” Flynn is the Chief Information Security Officer for Uber Technologies, Inc. He is an expert in information security with over 10 years of experience in the field, including leading infrastructure security at Facebook and managing security operations at Google.
Mr. Martin Mickos is the Chief Executive Officer of HackerOne, which is a leading bug bounty firm in the country serving a variety of government and private sector clients, including Uber, in administering their crowd-sourced vulnerability disclosure programs.
Ms. Katie Moussouris is the Founder and CEO of Luta Security, Inc., which advises its clients on vulnerability coordination programs and applicable internal company policies.
Mr. Justin Brookman is the Director for Consumer and Technology Policy for the Consumers Union, which is an independent nonprofit consumer organization. In his role, he focuses on policies related to consumer data privacy and security.
I look forward to hearing the testimonies of this expert witness panel. I now turn to my colleague Ranking Member Blumenthal for his opening remarks.
Today’s hearing is the latest edition in a long history of hearings that the Commerce Committee has held on high profile data breaches. Uber now joins Equifax, Yahoo, Target, Sony, and the University of Maryland, among others, as a breached entity telling its story to this committee and to Congress. And this story at this hearing only once again underscores the need for comprehensive and strong federal legislation that will provide adequate protections to consumers.
In this regard, Senator Blumenthal and I have once again introduced such legislation, the Data Security and Breach Notification Act, which would require companies to secure their data and to promptly notify consumers when there is a breach.
The bill would also impose criminal penalties on corporate officials that willfully disguise breaches from the public, and it would provide for robust enforcement by the Federal Trade Commission and state attorneys general working together to hold companies accountable.
As in previous Congresses, I will continue to work with Chairman Thune and other interested members of the committee to craft bipartisan and meaningful data security legislation.
However, any such bill cannot simply cater to corporate interests. A bipartisan bill must provide consumer protections that are better than what is in current law.
Currently, the FTC is the key federal agency that is bringing enforcement actions against breached companies that collected and stored vast amounts of consumer data with lax security standards in place. And a myriad of state laws currently provide American consumers with a limited degree of protection from data breaches.
We should not adopt federal legislation that undercuts the FTC’s existing, long-standing and well-established authority; nor should we consider a bill that eviscerates all state legal protections and replaces them with weak federal standards.
From my standpoint, I can only support a data security bill that provides consumers with protections that are stronger than current ones. It would be better for Congress to pass no bill at all than pass a bill that provides consumers with less protections under the status quo.
Thank you again, Mr. Chairman. I look forward to hearing from our witnesses.
Witness Panel 1
Mr. John FlynnChief Information Security OfficerUber Technologies, Inc.
Mr. Mårten MickosChief Executive OfficerHackerOne, Inc.
Ms. Katie MoussourisChief Executive OfficerLuta Security, Inc.
Justin BrookmanDirector of Privacy and Technology PolicyConsumers Union