Uber Lost Information on 57 Million People to Hackers, Then Covered It Up
Uber was hacked. That's not too shocking. It happens to major companies with disconcerting frequency. What is a little shocking is how Uber handled the loss of personal information on 57 million people.
In a blog post Tuesday, Uber CEO Dara Khosrowshahi says the incident took place more than a year ago, and the company paid hackers to cover it up. Uber did not inform regulators or customers about the breach.
The company revealed to Bloomberg it concealed the attack because the hackers were looking for money and promised to delete the data if Uber paid $100,000. The affected individuals were 50 million customers and seven million drivers, 600,000 of which had their driver's license numbers compromised. The company has "not seen any indication" social security numbers, credit card numbers, trip location data, or birthdates were compromised. However, it did lose names, phone numbers, and email addresses for the affected customers.
The details of how Uber got hacked (Uber engineers left their AWS keys on Github) don't do much to inspire confidence in their cybersecurity practices. This is the equivalent to: left the keys to the safe in the front door.— Sheera Frenkel (@sheeraf) November 21, 2017
When the October 2016 incident took place, the ride-sharing company was in talks with US regulators investigating claims of privacy violations. The company says it believes it was required to report the hack during those negotiations but didn't.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi told Bloomberg. “We are changing the way we do business.” The company's chief security officer was asked to resign and "one of his deputies" was fired due to their roles in the incident.
It all took place under the watch of former CEO and current board member Travis Kalanick. He was ousted in June under pressure from investors after a run of scandals that included tracking customers, underpaying drivers, a program to track Lyft drivers, a program to trick law enforcement, and Kalanick yelling at an Uber driver.
Uber has hired Matt Olsen, a former director of the National Counterterrorism Center, as an advisor who will help restructure the company's security teams.
Additionally, the company launched resource pages for riders and drivers. The riders page more or less says Uber doesn't have any evidence the hackers have done anything with the acquired data. Drivers will be notified and are being offered free credit monitoring and identity theft protection services.
Sign up here for our daily Thrillist email, and get your fix of the best in food/drink/fun.