Uber Paid Off Hackers to Cover Up 2016 Breach that Affected 57 Million
In a statement released Tuesday, Uber CEO Dara Khosrowshahi admitted that the ride-hailing company suffered a major cybersecurity breach in 2016, with 57 million passengers’ information—including names, email addresses, and phone numbers—illegally accessed. In addition, the unidentified hackers downloaded 600,000 US driver records including license numbers from a third party, cloud-based service Uber utilizes. Uber assured customers that no financial or Social Security information was downloaded in the hack.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals [responsible],” said Khosrowshahi. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
As of this time it is unclear what, if any, monitoring systems or procedures Uber used to secure this data prior to or in the aftermath of the attack. The hackers reportedly demanded $100,000 from Uber in exchange for their silence and for the destruction of all the illegal copies of customers’ information. Uber’s then Chief of Information Security Joe Sullivan allegedly complied with their demands and did not inform state or federal authorities of the breach, violating California—Uber’s headquarters location–state law. Sullivan has since been removed from his position.
Sullivan said in a statement: “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
It is unclear how the hack may affect Uber’s business or its already tarnished public perception. After giving his statement, it was revealed that Khosrowshahi knew of the hack two months before alerting the public. Although the breach occurred under Khosrowshahi’s predecessor Travis Kalanick, Kalanick is still on Uber’s Board of Directors.
Investigations by the office of the New York and the Massachusetts Attorney Generals are ongoing.
Thanks to Engadget, The Register, and CNN for sources.