Uber Continues to Screw Up – Paid Hackers $100,000 to Hide a Massive Breach That Affected 57 Million Users
Mega breaches continue to be reported and major companies continue their efforts to hide these breaches and/or downplay their severity. In a latest, it has been revealed that hackers stole personal data of over 57 million customers and drivers from Uber. The ride hailing company that has had its fair share of problems in the past year kept the breach under wraps for more than a year.
The attack happened in October 2016 and leaked data of drivers and riders. This stolen data includes names, email addresses and phone numbers, according to the company's statement published by its new CEO. Over 50 million customers and 7 million drivers' data is affected. While no social security numbers or financial data was stolen, Uber has said that the stolen data included 600,000 US driver’s license numbers.
"I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use," the company's new CEO, Dara Khosrowshahi, said in an online statement. "The incident did not breach our corporate systems or infrastructure."
What exactly happened: Kalanick and Uber's security team paid hackers to keep the incident under wraps
Bloomberg reports that two attackers accessed a private GitHub coding site that was used by Uber software engineers. They used those login credentials to access data stored on an Amazon Web Services account that handled computing tasks for the company. "From there, the hackers discovered an archive of rider and driver information," the publication adds.
"Later, they emailed Uber asking for money."
While the company was required to alert the affected people and the government agencies when the data breach occurred, Uber - in its trademark way of flouting regulations - paid the hackers $100,000 to keep quiet and informed no one.
The breach will add into the scandals associated with Travis Kalanick, the company's former CEO and co-founder, and his largely unethical leadership style. Kalanick had learned about this hack in November 2016, just a month after it took place, but let the security department keep it under wraps. The current Uber leadership suggests that the data was never used, but has so far refused to disclose the details of the attackers.
The new leadership came to know about this incident after the board commissioned an investigation into the activities of its chief security officer, Joe Sullivan, and his security team. The company has now let go of Sullivan along with one of his deputies for allegedly keeping the incident unreported.
"None of this should have happened, and I will not make excuses for it,” Khosrowshahi, the company's new CEO who keeps on inheriting more troubles from Kalanick, said. "We are changing the way we do business."
The new CEO believes that hackers did delete that data and that no one is at risk. "At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," he wrote in his statement. It is unclear how Khosrowshahi can give assurances of steps taken by a security team that he has now fired.
We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.
The company has started to alert the drivers whose license numbers were included in that stolen data. "We are providing these drivers with free credit monitoring and identity theft protection," Khosrowshahi said, adding that the company is also notifying regulatory authorities.
Not the first time Uber has done something like this
This isn’t the first time that Uber has been hacked or has failed to report it. Earlier in 2016, the company agreed to a $20,000 settlement with the New York Attorney General over a 2014 data breach when it had also taken months to disclose the incident.
"None of this should have happened, and I will not make excuses for it," he wrote. "While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."