Uber boss told of 57m passenger and driver hack two months ago
UBER’S new chief executive, who is trying to repair the company’s battered reputation, has known about the hack that lost 57m passengers’ and drivers’ details for over two months.
Dara Khosrowshahi was told about the breach shortly after taking charge of the company in September, according to reports. The firm also informed Softbank, the Japanese tech giant that is close to an investment of up to $10bn (£7.5bn), three weeks ago.
Uber revealed on Tuesday night that hackers accessed the accounts of 50m passengers and 7m drivers in October 2016. It learned about the incident a year ago and paid the hackers $100,000 to delete the data and keep quiet.
The information commissioner has since confirmed that the personal data of British users was accessed, and has warned that the company could be fined over the matter.
The group has sought to draw a line under the news, sacking Joe Sullivan, its chief security officer, and coming clean about the breach, which happened under the watch of its former chief executive Travis Kalanick.
But the revelation that its top brass has known for two months, reported in the Wall Street Journal, is likely to raise questions about whether customers should have been notified earlier.
Uber said that customers were informed as soon as it concluded its investigation, which revealed the extent of the breach.
“We informed Softbank that we were investigating a data breach, consistent with our duty to disclose to a potential investor, even though our information at the time was preliminary and incomplete. We also made clear that our forensic investigation was ongoing,” a spokesman said.
“However, once our internal inquiry concluded and we had a more complete understanding of the facts, we disclosed to regulators and our customers in a very public way.”
Uber said there was unlikely to be a risk of further fraud since it received assurances that the data was deleted, that passwords were not stolen and that it has seen no evidence of abuse.
However, the UK’S National Cyber Security Centre, an arm of GCHQ, has told users to immediately change their passwords.
Matt Hancock, the digital minister, told MPS on Thursday that Uber had indicated how many people were affected by the breach but that “we do not have sufficient confidence in the number that Uber has told us to go public on it”. He said further details would be published “within days”.
Last night, Uber also said it had requested permission to appeal against a ruling at the UK’S Employment Appeals Tribunal that declared its drivers were workers rather than self-employed.
The judgment said drivers should be given sick pay and the minimum wage. Uber said it had taken the ruling directly to the Supreme Court, leapfrogging the Court of Appeal, and that it wanted to have the matter “resolved sooner rather than later”.
Separately yesterday, Russian regulators ruled that Uber and Yandex’s ride-sharing businesses could merge in the country, as long as the combined company did not bar drivers from working for competitors.