Advertisement

Uber hid a cyberattack that exposed 57 million users' data

Uber is disclosing a mass security breach it says occurred over a year ago: Reuters
Uber is disclosing a mass security breach it says occurred over a year ago: Reuters

Uber failed to disclose a cyberattack that exposed the data of some 57 million combined drivers and passengers — and paid hackers to not release the stolen data.

In a statement posted online, Uber CEO Dara Khosrowshahi said that an October 2016 attack encompassed personal information like names and phone numbers of Uber users worldwide. The names and drivers license numbers of some 600,000 drivers were swept up.

He said there was no indication that hackers pilfered especially sensitive information like Social Security numbers, location history or bank account and credit card numbers. Nevertheless, Mr Khosrowshahi said, “None of this should have happened”.

“We are changing the way we do business,” said Mr Khosrowshahi, who took over the scandal-plagued company after founder Travis Kalanick was forced out.

According to Bloomberg, the hack cost Chief Security Officer Joe Sullivan and an associate their jobs because they sought to keep the hack quiet. Part of that effort, Bloomberg reported, included paying the hackers $100,000 to delete pilfered information. A source familiar with the incident confirmed that account.

Mr Khosrowshahi confirmed in his statement that “two of the individuals who led the response to this incident are no longer with the company” and echoed questions about why the hack was only now emerging publicly.

“You may be asking why we are just talking about this now, a year later. I had the same question,” Mr Khosrowshahi said, noting that the company had directed former National Security Agency general counsel Matt Olsen to conduct a review of “how best to guide and structure our security teams and processes going forward”.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Mr Khosrowshahi said.

Concerns about corporate cybersecurity have intensified in the wake of high-profile hacks targeting companies like Yahoo — which disclosed this year that all three billion of its email users' accounts were hacked in 2013 — and credit reporting agency Equifax, whose former CEO was grilled before Congress about security weaknesses that facilitated the attack.

But while security concerns are not unique to Uber, the company faces extra scrutiny after a turbulent stretch that helped cost Mr Kalanick his job and has Mr Khosrowshahi under pressure to remedy a corporate culture often described as toxic.

Over the past year company incurred allegations of widespread sexual harassment, lost its ability to operate in London and became the subject of a criminal Department of Justice inquiry over its use of software intended to mislead regulators.