Uber paid $100,000 for hackers' silence over huge data breach
Hackers stole 57 million drivers' and users' details, but Uber didn't say a word
Uber tried to hide a massive data breach, affecting 57 million drivers and users, the company has admitted.
The cover up involved payments of $100,000 (75,000) to the hackers, according to Bloomberg, which broke the news.
The breach happened in October 2016, and encompassed names, email addresses and phone numbers of over 50 million users of the service from around the world. Around 7 million drivers were also affected, with hackers accessing around 600,000 US driver's license numbers.
Reports claim Uber's former chief executive Travis Kalanick has known about the breach for over a year. Kalanick was forced out of the company in June, after months of controversies relating to sexism and poor working practices. He was replaced in August by former Expedia boss, Dara Khosrowshahi.
"While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection," Khosrowshahi said in a statement.
"None of this should have happened, and I will not make excuses for it," he added. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
In the wake of the revelation, Uber has fired its chief security officer, Joe Sullivan. The company has also set up pages for drivers and riders that may have been affected by the hack. These emphasise that the company has seen no evidence for fraud. It mentions that Uber will offer drivers free credit monitoring and identity theft protection, but doesn't extend this to users of the service.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded," the page explains.
Two hackers managed to access a private GitHub site for Uber software engineers, according to Bloomberg. They were able to grab login credentials from there, which allowed them to access an Amazon Web Services account for Uber. There they found an archive of driver and user information, and blackmailed the company for money.
Uber has not had a great year, to put it mildly. The resignation of Kalanick was clearly intended to distance the company from mounting claims of allowing a sexist working environment, and came in the wake of reports that Uber's boss in Asia had been fired for obtaining medical records of a woman who had been raped by an Uber driver. The bad news has continued to amount since Khosrowshahi joined the company, however. The ride sharing company has lost its licence to operate in London, and recently lost an appeal in the UK over how its workers should be categorised.