Uber hid data breach from customers, paid hackers to keep silent
Ride-hail app operator Uber just disclosed that it had covered up a data breach from October 2016 that contained personal data from 57 million riders and drivers in the United States. Furthermore, it had paid the hackers $100,000 to delete the data and stay silent on the event — the data has not surfaced in a wide-scale attack yet.
Data included mobile phone numbers, email addresses, names. About 600,000 drivers also had their license numbers accessed. They were stored on an Amazon Web Services account, the credentials of which were found on a private GitHub repository for Uber employees. No payment, Social Security nor location data appears to have been affected.
Bloomberg reports that the company’s former CEO, Travis Kalanick, learned of the hack a month after it happened — he declined to comment. At the same time, Uber had was trying to settle consumer data privacy issues with the New York attorney general’s office and the Federal Trade Commission.
Uber failed to give proper public notice of another data breach in 2014 and had to pay that attorney general $20,000 in fines. The office is now looking into this hack.
The board of Uber commissioned an outside investigation into Joe Sullivan, the security head who’s leaving the company. He and his division will be the key figures to track as to how this incident was hidden for so long.
Uber’s current CEO, Dara Khosrowshahi, is promising corrective action by notifying those affected and offering credit monitoring.
“You may be asking why we are just talking about this now, a year later. I had the same question,” Khosrowshahi said, “so I immediately asked for a thorough investigation of what happened and how we handled it.”