Uber faced a data breach in 2016 that affected some 57 million customers, including both riders and drivers, revealing their names, email address and phone numbers. That affected group included 50 million riders and 7 million drivers; around 600,000 driver license numbers for U.S. drivers were also included in the breach, according to a new report from Bloomberg.
Uber did not report the incident to regulators or to affected customers, but instead paid $100,000 to “hackers” to get rid of the data in order to keep the breach under wraps, according to the report. It says further that no security numbers or trip location information was taken in the attack, and that it doesn’t believe the info that was leaked was ever used, though it doesn’t specify who was responsible.
New Uber CEO Dara Khosrowshahi told Bloomberg via email that while he “will not make excuses” for the incident, he also believes that “none of this should have happened.” Khosrowshahi, who joined the ride-hailing company in August after a search for a replacement CEO following co-founder Travis Kalanick’s departure, also said that Uber did shut down the attack vector and increased its security measures following the attack, but that it failed in its duty to report.
Bloomberg says that Kalanick was aware of the hack as early as November 2016, just a month after it occurred. Uber Chief Security Officer Joe Sullivan, and a key senior deputy to the CSO, have also been removed from the company this week, specifically for their roles in keeping the cyberattack secret.
The report says the attack occurred because attackers managed to gain login credentials for an Uber Amazon Web Services account using a private GitHub site maintained by Uber engineers.
In a blog post addressing the breach, Khosrowshahi laid out plans for how the company will address the fallout of the incident, including bringing on a former NSA general counsel to provide guidance to Uber’s security teams, and notifying drivers whose license numbers were included in the breach. Uber will not only notify the drivers, but also offer them credit monitoring and identity theft protection services, though the post also says they haven’t seen “evidence of fraud or misuse tied to the incident.”
We’ve reached out to Uber for additional comment, and will update if we receive a response.