Uber Was Hacked Last Year & Kept It A Secret From 57 Million Users

Leon Neal/Getty Images News/Getty Images
By Virginia Chamlee

Add a security breach and massive cover-up to the pile of issues currently confronting Uber. According to a new report from Bloomberg, Uber concealed a cyberattack that exposed the data of some 57 million people. Bloomberg reports that the ride-sharing company concealed the breach for more than a year, and that it led to the ouster of chief security officer Joe Sullivan earlier this week. Perhaps the most explosive part of the report is that the company allegedly “paid hackers $100,000 to delete the data and keep the breach quiet.”

The company's CEO, Dara Khosrowshahi, told Bloomberg in a statement, “None of this should have happened, and I will not make excuses for it. We are changing the way we do business.”

The attack is said to have occurred in October 2016, with hackers stealing information including riders’ names, phone numbers, and email addresses. It is unclear whether that means the hack only affected those riders who used the service in October 2016, or if it affected anyone who had the app installed at that time.

Uber has already created an information page regarding how the hack might have affected riders. According to the company, no evidence of fraud or misuse has been found as a result of the incident though it continues to monitor affected accounts, which have been flagged "for additional fraud protection."

The company advises riders to continually monitor their credit and Uber accounts for fraud, but says it does not believe any individual rider needs to take action.

The personal information of Uber customers from around the world was accessed, along with that of roughly 7 million drivers, “including some 600,000 U.S. driver’s license numbers,” reports Bloomberg. Uber has said that no Social Security numbers or trip location details were taken.

Michael Cohen/Getty Images Entertainment/Getty Images

In a statement released on Tuesday, Khosrowshahi downplayed the incident, saying that it was the work of "two individuals outside the company" who "inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure." He said he only recently became aware of the incident, though Bloomberg reports that he found out a month after it happened, in November 2016.

Khosrowshahi writes that the company took "immediate steps to secure the data and shut down further unauthorized access by the individuals" once it knew about the hack, and obtained "assurances that the downloaded data had been destroyed" by the individuals who downloaded it. "We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts," Khosrowshahi writes.

Among the actions the company has taken in the wake of the hack (other than, according to Bloomberg, allegedly paying off the hackers to delete the evidence that it happened) include notifying drivers individually if their license numbers were downloaded, providing those drivers with free credit reporting, and notifying regulatory authorities.

So, how does a big company like Uber get hacked? Bloomberg reports that it was relatively easy, as hacks go: "Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company."

Mike Windle/Getty Images Entertainment/Getty Images

The company's founder, Travis Kalanick, resigned in June after the company was plagued with a slew of crises. According to the Bloomberg report, the U.S. "has opened at least five criminal probes into possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property," regarding Uber.

According to Khosrowshahi's statement, the company is committed to learning from its mistakes: "None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."