Daily Times

When Uber’s former chief executive Travis Kalanick stood in front of employees to introduce his successor, Dara Khosrowshahi, he became emotional. “Uber’s next chapter begins today,” he told staff in the late August meeting. “The old chapter ends, and the next one begins.”

The moment was supposed to mark a new beginning for Uber, the transportation company worth $68bn that had become a poster child for the worst excesses of Silicon Valley, including allegations of widespread sexual harassment. But three months later, Uber’s new chapter looks strikingly similar to the old one.

The disclosure this week of a serious data breach is the latest in a series of crises that have hampered Mr Khosrowshahi’s efforts to turn over a new leaf. The list of troubles includes a potential ban in London, a lawsuit over self-driving technology brought by Alphabet’s Waymo, and the regulatory fallout from the data hack, which affected 57m users around the world. As well as keeping the 2016 breach secret, the company paid a ransom to the hackers.

Amid the revelations, some have started wondering whether Uber can ever escape Mr Kalanick’s shadow. As the company prepares to go public in 2019, further bad news could lead to a delay or a cut to Uber’s valuation.

Erik Gordon, a business school professor at the University of Michigan, says the company is at risk of suffering a “Kalanick risk premium”. He adds: “One of the things that has to happen before they can do an IPO [initial public offering] is they have to be able to assure investors that Kalanick has no influence at the company.”

The belated disclosure about the data hack and the ransom payment has only added to the questions about Mr Kalanick’s tenure. “This is very telling about a company culture,” said Katie Moussouris, founder of Luta Security. “This isn’t the first time that they have been caught doing something unethical and illegal?.?.?.?pushing every legal boundary to fuel their growth.”

Mr Kalanick’s legacy includes building from scratch the biggest tech start-up of all time, raising record sums of money to realise his vision and changing the nature of transportation around the world. At the same time, his scrappy attitude, along with a tendency to flout regulations, helped create a company that now seems full of minefields.

He was ousted by investors in June due to concerns about his judgment. One of those investors, Benchmark, later sued to try to remove him from the board. (The case has been suspended and he remains on the board, in addition to owning 10 per cent of Uber’s shares.)

In recent weeks, the enduring costs of Mr Kalanick’s reign have started to become clearer. The feud between him and Benchmark delayed the progress of a planned investment by a SoftBank-led consortium, which could be worth up to $10bn and which will be a crucial piece in the IPO. Mr Kalanick also played a central role in the acquisition of a self-driving start-up, Otto, that is the focus of Waymo’s lawsuit, and will testify at that trial next month.

For Mr Khosrowshahi, one of his chief public roles during these first months on the job has been to make a show of contrition for things that did not happen under his watch, causing some to dub him the “apologiser in chief”. He has a knack for the role, which was on display earlier this week, when Uber admitted that it failed to notify regulators or users about the 2016 data breach. “None of this should have happened, and I will not make excuses for it,” he wrote.

The cyber attack provides a case study in Uber’s sometimes self-defeating culture. The incident was not particularly unusual, but the cover-up could end up being costly. Hiding the breach has already attracted the ire of regulators from the US to Europe and could lead to lawsuits. “They have definitely made it a lot worse for themselves,” Ms Moussouris said, adding that there is a “well rehearsed” routine for companies to send out breach notifications. The origins of the hack are all too common. Like the recent attack on the credit bureau Equifax, which exposed records of up to 143m Americans, the hackers did not use sophisticated methods to get access the data. The attackers found the username and password to a cloud account containing the data by breaking into a private account on the software repository Github used by Uber engineers.

Names, emails and phone numbers of 50m passengers were lost – which, unlike the Equifax case, is not the most sensitive information. However, the loss of 600,000 US drivers’ licence numbers could be more serious, as they can be used in identity fraud.

The hack was discovered in October 2016, and Mr Kalanick found out about it a month later, according to people familiar with the events, but he did not inform the board. Moreover, rather than notify regulators and the people whose data had been taken – which is a legal requirement in many jurisdictions – Uber covered it up, and paid the hackers $100,000 to destroy the stolen information. None of this would have come to light if it had not been for a separate investigation that Uber’s board commissioned into the activities of its security team, which covers cyber security as well as physical security and competitive intelligence operations. Some of those competitive intelligence practices had become the subject of a probe by the Federal Bureau of Investigation.

Published in Daily Times, November 26^th 2017.