Uber suffered a massive data breach that exposed the personal information of 57 million accounts. The ride-sharing service attempted to hide the breach by paying off the hackers to keep it a secret. The data breach was acknowledged on Tuesday by Dara Khosrowshahi, who was named Uber’s CEO in August following the departure of founder Travis Kalanick.
The breach happened in October of 2016, but Khosrowshahi said he had only recently learned of the data breach. “None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in a blog post on the company’s website. Kalanick learned of the breach in November 2016, a month after it happened. Uber had not notified regulators at the time, but Khosrowshahi said the company has begun notifying regulators. The New York attorney general has opened an investigation into the breach.
Two hackers were able to gain access to the personal data of 57 million worldwide Uber accounts and 600,000 drivers in the United States. The information was stored on a third-party cloud service. The hackers were able to steal names, email addresses, and mobile phone numbers of Uber users and the names and driver’s license numbers of drivers.
Bloomberg outlines how the hackers were able to infiltrate Uber:
Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.” The $70 billion company kept this a secret for about a year and kept the breach quiet by paying the hackers’ ransom of $100,000. In exchange, the hackers deleted their copy of the stolen data and signed non-diclosure agreements. The payoff was disguised as part of Uber’s bug bounty program. Uber has fired two employees as a result of the cover-up.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.” This isn’t the first time data has been stolen from Uber. The ride-sharing service was hacked in May 2014, when 50,000 drivers’ details were stolen.