Uber, the global transportation company, is in deep waters once again. And this time, it is for not only keeping a massive data breach incident secret, but also for allegedly paying the hackers responsible to keep quiet.
Uber announced yesterday that hackers managed to take off with the data of 57 million customers and drivers back in October 2016. The people who were affected by the breach were not informed of the incident until 21 November 2017, more than a year later.
Data of 57 million customers and drivers stolen
Dara Khosrowshahi, the current CEO of Uber, claims to have recently been made aware that two individuals outside of the company have accessed user data stored on a third-party cloud-based service that Uber uses.
The hackers were able to download personal data of 57 million customers and drivers from all over the world, including names, email addresses, phone numbers, as well as driver’s license numbers. However, credit card and bank account numbers were reportedly not stolen.
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” Khosrowshahi reassures.
In two additional statements, for riders and drivers, Uber claims there is no evidence that the information obtained was used for fraud or otherwise misused. However, because driver license numbers were among the data stolen, Uber is offering free credit monitoring and identity theft protection. The company is currently in the process of notifying the drivers affected. The company does admit that not notifying the drivers for over a year was wrong.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said in the original statement.
$100,000 allegedly paid to hackers
Bloomberg reports that Uber asked its chief security officer, Joe Sullivan, to resign and fired his deputy, a senior lawyer who reported to Sullivan. The two employees were forced out of the company over their involvement in concealing the incident. The media company also reports that Uber paid $100,000 to the hackers in exchange for deleting the data, and for the incident to be kept quiet. Uber has declined to identify the people behind the hack.
Travis Kalanick, the former CEO of Uber, was informed of the hack a month after it took place, in November 2016. At that time, the company was in negotiations with the Federal Trade Commission (FTC) on a privacy settlement. This is believed to have influenced the decision to keep the data breach under wraps.
Under federal law, companies are required to inform both the goverment and the affected people about a data breach incident, especially when sensitive data is involved. An investigation over how Uber handled the hack has been launched after the company informed law enforcement and the FTC of the hack, more than a year after the incident.