Ride-hailing company, Uber Technologies Inc paid hackers $100,000 to keep secret a massive breach in October 2016 last year that exposed the data of some 57 million accounts of the ride-service provider, the company said on Tuesday.
Discovery of the company’s cover-up of the incident resulted in the firing of two employees who led Uber’s response to the hack, said Dara Khosrowshahi, who was named CEO in August 2016 following the departure of founder Travis Kalanick.
Uber learned of the incident in November 2016 however Khosrowshahi said he had only discovered it recently. He wrote in a blog post:
[box type=”note” align=”aligncenter” ]I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.
Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded. However, the individuals were able to download files containing a significant amount of other information, including:
- The names and driver’s license numbers of around 600,000 drivers in the United States.
- Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers.
At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.
The company said no trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were taken.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.,” Khosrowshahi wrote.
Bloomberg News reporter Eric Newcomer first reported the data breach on Tuesday. After Uber’s disclosure Tuesday, New York Attorney General Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy Spitalnick told Bloomberg. The company was also sued for negligence over the breach by a customer seeking class-action status.
“Uber failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach,” according to the complaint filed Tuesday in federal court in Los Angeles.
The lawsuit seeks to represent all Uber drivers and customers in the U.S. whose information was stolen.
Representatives of the San Francisco-based company didn’t immediately respond to a request for comment on the lawsuit.
Here’s how the hack went down, according to Bloomberg: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
This week, the ride-hailing firm ousted its chief security officer, Joe Sullivan and one of his deputies for their roles in keeping the hack under wraps.
[Source 3]– Uber Blog