Uber noted in a statement yesterday that two hackers gained access to personal data on 57 million of its users worldwide and some 600,000 drivers in the US, which was stored on a third-party cloud service. The $70 billion company kept this a secret for about a year.
The trove of customer data included names, email addresses and mobile phone numbers; Uber said that its forensic investigation didn’t show that other information like credit card numbers or location history was stolen. As such, it’s not advising affected customers to take any steps to protect themselves at this point. The company said that it would notify drivers whose driving licence details were stolen, and provide them with free credit monitoring and identity theft protection.
That’s just the half of it. According to the New York Times, after the incident took place in late 2016, Uber paid the hackers $100,000 in ransom so they’d delete their copy of the stolen data; the company then had them sign non-diclosure agreements and disguised the whole affair as part of a bug bounty program.
The data theft happened on former Chief Security Officer Joe Sullivan’s watch; previously the head of security for Facebook, he’s now been shunted out of the company. Uber’s infamous former CEO Travis Kalanick had been ousted from his position before this breach and a replacement hadn’t yet been found; he was still serving on the company’s board of directors at the time.
This isn’t the first time Uber’s systems have been breached; it was previously attacked in May 2014, when 50,000 drivers’ details were stolen. However, it’s the first incident that newly appointed CEO Dara Khosrowshahi has had to address since he took on the role at the end of August.
As if he didn’t already have a difficult enough job of fixing so many things that are broken within Uber’s ranks and company culture, the revelation of this security breach means that Khosrowshahi will have to find a new CSO, and a new legal director of security and law enforcement – while working to rebuild the firm’s reputation worldwide.