Uber Covered Up 2016 Data Breach by Paying Hackers
Hackers made off with the personal data of 57 million Uber customers and partners, a serious leak that should have been disclosed more than a year ago. The embattled ride-sharing service has instead paid $100,000 or more to the attackers to keep it hushed up.
With a new chief at the helm, Uber finally came clean this Tuesday, Nov. 21, about the breach that occurred around October 2016. The attack compromised sensitive data including names, email addresses and phone numbers of an estimated 50 million customers and 7 million drivers around the world, as Uber shared with Bloomberg.
The leak also compromised about 600,000 U.S. driver's license numbers, although Uber claims that the attack was not able to take the Social Security numbers, credit card details and trip records associated with them.
Two hackers were able to break into the private GitHub code repository used by Uber engineers, where they took login passwords to the Amazon Web Services account holding an archive of customer and driver data.
The hackers later informed the company of the breach and asked for money, according to Uber.
The company paid the hackers $100,000 late last year to destroy the stolen data and keep the incident under wraps. The company also decided not to inform the affected customers, drivers, or law enforcement about the hack.
"None of this should have happened, and I will not make excuses for it," Dara Khosrowshahi, the newly installed chief executive officer, said in a statement.
The disclosure has prompted authorities around the world to conduct their own investigations into the breach and into how Uber chose to respond to the incident, as Reuters reports. U.S. lawmakers have also begun to call for a Congressional inquiry into the matter, and to get the Federal Trade Commission (FTC) involved.
"We've been in touch with several state Attorney General Offices and the FTC to discuss this issue, and we stand ready to cooperate with them going forward," an Uber representative said in a statement via email.
Uber has since fired its chief security officer Joe Sullivan and a deputy official, Craig Clark for their role in the cover-up. Sullivan was also a former top security official at Facebook and a federal prosecutor.