Personal details for some 57 million Uber customers and 600,000 drivers were stolen by hackers over a year ago, the company revealed yesterday. Rather than reporting the incident as required by law, two higher-ups on Uber's security team paid the attackers $100,000 to keep quiet about the breach.
Those two employees, including chief security officer Joe Sullivan, are no longer with the company as of this week, according to CEO Dara Khosrowshahi.
Uber boosted security measures after the breach came to light and has since brought on a cybersecurity consultant to advise on other steps to take going forward, Khosrowshahi said in a blog post yesterday. While Uber said there have been no signs to date that the stolen data has been used for fraudulent purposes, Khosrowshahi said the company is notifying affected drivers and providing them with free credit monitoring and identity theft protection.
Affected riders have also been flagged for additional fraud protection, although they don't need to take any other action beyond regularly monitoring their credit and accounts, the company said.
Latest in a String of Damaging Developments
Long held up as an example of a wildly successful "disruptive" technology company, Uber has been hit by one PR disaster after another over the past year. Reports about widespread sexual harassment and discrimination at the company led founder/CEO Travis Kalanick to resign in June. The company has also faced state and federal investigations related to its use of "Greyball" software to evade regulators, and was told in September that London's transport agency would not renew the company's private hire operator license because it was "not fit and proper."
This week's revelations that the company covered the hack have added to the challenges Khosrowshahi now faces in trying to repair Uber's reputation.
In a blog post yesterday, Khosrowshahi said he only recently learned of the data breach, which occurred in 2016. The hack by two unnamed individuals outside of the company didn't affect corporate systems or infrastructure, he said. But the hack did involve unauthorized access to user data on a third-party cloud service, identified by Bloomberg and other news outlets as Amazon Web Service.
"Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded," Khosrowshahi noted. "However, the individuals were able to download files containing a significant amount of other information..."
That information included the names and license numbers of 600,000 drivers in the U.S., as well as the names, email addresses, and mobile phone numbers of 57 million Uber customers around the world.
"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," Khosrowshahi said. "We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."
'None of This Should Have Happened'
The 2016 data breach was discovered after the board of directors launched an investigation into the actions of Uber's security team, according to a report yesterday in Bloomberg, The law firm commissioned to lead the investigation discovered both the breach and the team's failure to disclose the incident.
"None of this should have happened, and I will not make excuses for it," Khosrowshahi said in his blog post. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
On Twitter today, U.S. security writer Brian Krebs asked what made Uber's $100,000 payout to the hackers different from the ransoms other companies have paid to unlock system data encrypted by ransomware. Several commenters responded by noting that unlike companies hit by ransomware, Uber's business was never interrupted by the breach and that the company failed in its obligation to notify victims and regulators when it discovered the hack.
While a hack is bad enough, covering up such an incident is even worse, U.K. security writer Graham Cluley said yesterday.
"No doubt regulators will also be asking tough questions about why it wasn't informed about the breach until this week," Cluley wrote on his blog. "You can ask forgiveness for being hacked, but many people will find it harder to forgive and forget if you deliberately concealed the truth from them."