Uber kept hack of 57M hidden for a year
Company paid hackers to delete the data instead of reporting breach
SAN FRANCISCO — Personal information belonging to about 57 million Uber customers and drivers was stolen by hackers last October, a breach the company kept hidden for a year and for which its chief security officer was fired this week.
The stolen data included names, email addresses and phone numbers of 50 million Uber riders and 7 million drivers. The drivers’ stolen information also included 600,000 U.S. drivers’ license numbers, CEO Dara Khosrowshahi said in a statement.
“You may be asking why we are just talking about this now, a year later. I had the same question,” Khosrowshahi wrote.
After asking for an investigation, Uber discovered that instead of notifying regulators and the affected individuals, it had “identified the individuals and obtained assurances that the downloaded data had been destroyed,” he wrote.
The New York State Office of the Attorney General has opened an investigation into the newly revealed breach, said press secretary Amy Spitalnick. Bloomberg reported Tuesday afternoon that the company actually paid the hackers $100,000 to delete the data and keep mum about it.
Khosrowshahi in his blog post said that “effective today, two of the individuals who led the response to this incident are no longer with the company.”
According to Bloomberg, those individuals were chief security officer Joe Sullivan and fired Craig Clark, a senior lawyer who reported to Sullivan.
Uber did not respond to a request for comment for more details about the allegations.
In a statement to its users, Uber
said it did not believe they needed to take action. “We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection,” the statement read.
How it happened
According to Bloomberg, the breach began when attackers accessed Github.com, a website used by software engineers, and obtained login credentials there for information stored on an Amazon Web Services account controlled by Uber. In that account they found an archive containing rider and driver data.
That is similar to a 2014 case in which an Uber engineer put an access ID for Uber’s third-party cloud storage on Github.com, a website for software engineers. The post was accessible to the general public, according to New York Attorney General Eric Schneiderman. In May, someone unaffiliated with Uber accessed the database, including Uber driver names and license numbers.
Uber discovered the breach in September 2014 but did not provide notice to the affected drivers or Schneiderman’s office until six months later, the Attorney General’s office said.
Uber agreed to pay a $20,000 penalty for failure to provide timely notice of the breach to drivers and the Attorney General.
Previous troubles
The fine comes as the ride-hailing company continues to be targeted by lawsuits for assault against its contractor drivers and struggles to polish a brand image tarnished by reports of systemic sexism and dodgy ethics that toppled co-founder and CEO Travis Ka- lanick earlier this year.
Under his helm, Uber had a history of playing fast and loose with regulators. In Portland, Ore., it created and used a tool called “grayballing” in 2014 to thwart attempts by city regulators attempting to track the service.
Uber also came under fire during an investigation by Schneiderman that it had created what was known as the “God view” to allow it to track riders and that it used the system at least once to track a reporter.
The company also fired executive Eric Alexander after press reports emerged that he had flown to India and illegally obtained the medical records of a woman who was raped by her Uber driver there, in an attempt to discredit her.
The former autonomous vehicle unit of Google, Waymo, has sued Uber, saying it hired former Google engineer Anthony Levandowski, who stole 14,000 files of trade secrets before leaving Google in January 2016.
The lawsuit alleges the files helped Uber improve its LiDAR technology. Uber has countered that the suit is just an attempt to stall a competitor in the potentially lucrative race for autonomous car tech.