Uber reportedly concealed a cyberattack that saw the personal data of 57 million people stolen by hackers who the company paid off to keep quiet about the incident.
Bloomberg reports Uber fell victim to a cyberattack from a group of hackers that saw the data of 57 million Uber users and drivers stolen. The company reportedly kept this attack hidden from the public for over a year, leading to the firing of chief security officer Joe Sullivan this week along with one of his deputies. The stolen data, dating back to October 2016, contains the names, email addresses, and phone numbers of 50 million Uber riders worldwide, according to a statement from the company.
The personal details of approximately 7 million drivers were also accessed by hackers, including 600,000 U.S. drivers license numbers. Social security numbers and trip location details were not among the data stolen. Uber has now acknowledged that they had a legal obligation to report the hack to the drivers and customers affected, as well as regulators, but instead paid the hackers $100,000 to delete the stolen user information and stay quiet about the hack.
Dara Khosrowshahi, who replaced Travis Kalanick as CEO of Uber in September, said in a statement, “None of this should have happened, and I will not make excuses for it. We are changing the way we do business.”
Former Uber CEO Travis Kalanick reportedly learned of the data breach a month after it took place in November 2016. Former chief security officer Joe Sullivan reportedly took the lead in responding to the hack, and an investigation by Uber’s board into Sullivan lead to the discovery of the hack and subsequent cover-up.
The attack reportedly took place when hackers accessed a private GitHub website where Uber software engineers stored code. The hackers then used login details obtained from the files held on GitHub to gain access to the company’s Amazon Web Services account, where the hackers discovered archives of Uber user data. They then emailed Uber demanding money, holding the data ransom.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals.,” Khosrowshahi said. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
This latest hack adds to Uber’s already long list of recent scandals, including alleged sexual assaults by a number of Uber drivers resulting in a lawsuit against the company. Uber has also boycotted Breitbart News, telling advertising agencies that they want “nothing to do” with the website.