The ride-hailing app has admitted that 57 million users globally, including around 600,000 drivers in the US, had had personal data, including mobile phone numbers and email addresses, accessed by hackers.
The hackers were then paid $100,000 (£76,000) to destroy the data, according to a BBC article entitled 'Uber concealed huge data breach'. A Financial Times headline read 'Uber hid massive data breach from passengers and regulators'. The UK data watchdog this morning said it would be investigating.
Time to repair
A nearly 500-word post from Khosrowshahi, who took up his role in August, begins by saying in a statement on the firm's website that Uber must be "honest and transparent as we work to repair our past mistakes", and says that he only "recently" learned of the late 2016 breach.
A separate 'help' page has been set up to advise concerned customers and drivers.
"You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it," Khosrowshahi's statement continues.
"What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions," it says, then listing the appointment of a security expert to advise him, getting rid of "two of the individuals who led the response to this incident" and other actions including notifying regulators and users.
It concludes: "None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
Comment: CEO has 'acted skilfully'
Adam Leigh, strategy director at W Communications, told PRWeek: "It's the Watergate principle that really applies here: the cover-up is harder to forgive than the data breach itself. On that basis, Uber's new CEO Dara Khosrowshahi has acted skilfully, with a detailed apology and action plan that deftly draws a line under the incident – while squarely throwing his predecessor [Travis Kalanick] under the limo. 'This may have happened under the other guy,' he's saying, 'but not me'."
On whether Uber's passenger will buy it, he said: "Of course they will – they love the service it offers and the prices it charges."
He also noted that Uber might take comfort from having been far from the only company to suffer data woes of late. "There's a certain amount of cloud cover to be had; consumers are increasingly used to the spectre of cyber-crime," he said.
Will Gardiner, head of enterprise tech at the UK agency CCgroup, also praised the statement. He said: "Naturally, the media coverage is tying this event to the lengthy string of negative stories the company has suffered in the past – a historic reputation which is in stark contrast to the 'new look' Uber that Khosrowshahi is trying to create.
"Khosrowshahi’s transparency and conciliatory tone have turned the inherently negative news cycle into an opportunity to reinforce the message of how Uber intends to do business in the future. It’s making the best out of a terrible situation."
On Twitter, Amy Grimshaw, head of PR for tech accelerator Founders Factory, concurred.
Makes a statement that transparency is a priority - no more hiding and shady behaviour. Dara setting his new agenda, distancing them from Travis— Amy Grimshaw (@AmyGrimmers) November 22, 2017
Uber rarely gets much time out of the limelight - earlier this week Colorado's Public Utilities Commission fined the company nearly $9m (£6.8m) following claims it allowed 57 drivers to work in the state despite serious red flags, including criminal convictions in their backgrounds such as felony convictions.
The firm is also fighting for its right to operate in London, after Transport for London revoked its operating licence pending an appeal in September. Khosrowshahi said at the time that he was aware that Uber had to "change", and its chief brand officer has also discussed its desire to evolve.
PRWeek sister title Campaign reports today that the breach revealed yesterday could have cost the firm nearly £18m in fines under new data protection laws coming into force in the UK next year.