Uber Technologies CEO Dara Khosrowshahi revealed in a statement that towards late 2016 hackers had stolen personal data of 57 million users stored in a third-party cloud-based service that the firm uses. The massive breach was concealed by the ride-hailing firm for over a year.
According to a Bloomberg report, the company has ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers to delete the stolen data.
Hackers had accessed data which included names, email addresses and phone numbers of 50 million Uber riders around the world.
Seven million drivers’ personal information was compromised as well, including around 600,000 US driver’s license numbers. According to Uber, no Social Security numbers, credit card information, trip location details or other data were taken.
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations, Bloomberg said.
Uber believes it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. “Instead, the company paid hackers to delete the data and keep the breach quiet,” Bloomberg said.
Khosrowshahi said, “While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.”
The firm declined from disclosing the identities of the attackers.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in the statement. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Post the company’s disclosure of the hack, New York Attorney General Eric Schneiderman has launched an investigation into the hack, his spokeswoman Amy Spitalnick said to Bloomberg. The report said that the company was also sued for negligence over the breach by a customer seeking class-action status.
“Uber failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach,” according to the complaint filed Tuesday in federal court in Los Angeles.
Uber’s co-founder and former CEO, Kalanick had learned of the data breach in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data, said Bloomberg.
According to the report, the details of the hack included two attackers who accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
A patchwork of state and federal laws require companies to alert people and government agencies when sensitive data breaches occur. Uber said it was obligated to report the hack of driver’s license information and failed to do so.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals,” Khosrowshahi said. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”