Uber has been hit with another scandal: This time, it’s the revelation that hackers stole the personal data of 57 million customers and drivers more than one year ago – and that its chief security officer hid the breach and paid hackers $100,000 to delete the stolen information.
According to news from Bloomberg, compromised data from the October 2016 cyberattack included names, email addresses and phone numbers of 50 million Uber riders around the world. The personal information of about 7 million drivers was also breached, including some 600,000 U.S. driver’s license numbers. The ride-sharing company said that no Social Security numbers, credit card information, trip location details or other data were taken.
In response to the findings, Uber fired chief security officer Joe Sullivan, as well as Craig Clark, a senior lawyer who reported to him, for their roles in obscuring the hack, which included a $100,000 payment to the attackers to delete the data and conceal the data breach. Uber said it believes the information was never used, and declined to disclose the identities of the attackers.
“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who took over as chief executive officer in September, said in an emailed statement. “We are changing the way we do business.”
Travis Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016.
The breach happened when two attackers accessed a private GitHub coding site used by Uber software engineers, obtained login credentials and then used them to access data stored on an Amazon Web Services account. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
The company informed the New York Attorney General, Eric Schneiderman, and the FTC about the October 2016 hack for the first time on Tuesday. Schneiderman has now launched an investigation into the cybercrime.
Khosrowshahi said in his emailed statement: “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”