Uber Paid Off Hackers to Cover Up 2016 Breach that Affected 57 Million

In a statement released Tuesday, Uber CEO Dara Khosrowshahi admitted that the ride-hailing company suffered a major cybersecurity breach in 2016, with 57 million passengers’ information—including names, email addresses, and phone numbers—illegally accessed. In addition, the unidentified hackers downloaded 600,000 US driver records including license numbers from a third party, cloud-based service Uber utilizes. Uber assured customers that no financial or Social Security information was downloaded in the hack.  

At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals [responsible],” said Khosrowshahi. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”  

As of this time it is unclear what, if any, monitoring systems or procedures Uber used to secure this data prior to or in the aftermath of the attack. The hackers reportedly demanded $100,000 from Uber in exchange for their silence and for the destruction of all the illegal copies of customers’ information. Uber’s then Chief of Information Security Joe Sullivan allegedly complied with their demands and did not inform state or federal authorities of the breach, violating California—Uber’s headquarters location–state law. Sullivan has since been removed from his position.  

Sullivan said in a statement: “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

It is unclear how the hack may affect Uber’s business or its already tarnished public perception. After giving his statement, it was revealed that Khosrowshahi knew of the hack two months before alerting the public. Although the breach occurred under Khosrowshahi’s predecessor Travis Kalanick, Kalanick is still on Uber’s Board of Directors.  

Investigations by the office of the New York and the Massachusetts Attorney Generals are ongoing.  

Thanks to Engadget, The Register, and CNN for sources.  

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner

Leave a Reply

Your email address will not be published. Required fields are marked *