Uber are said to have paid hackers to a tune of USD100,000 to conceal a breach in the company’s system in 2016. Uber confirmed that information of over 57 million customers and drivers in October 2016 were stolen without the company alerting the key players.
The hackers were reported to have stolen personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States. Although the company said more sensitive information, such as location data, credit card numbers, bank account numbers, social security numbers, and birth dates, had not been compromised.
In his statement, Khosrowshahi said the company had “obtained assurances that the downloaded data had been destroyed” and improved its security, but that the company’s “failure to notify affected individuals or regulators” had prompted him to take several steps, including the departure of two of the employees responsible for the company’s 2016 response.
Uber’s chief security officer, Joe Sullivan, was one of the two employees who left the company, Bloomberg reported.
The company’s failure to disclose the breach was “amateur hour”, said Chris Hoofnagle of the Berkeley Center for Law and Technology. “The only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach.”
Uber said in a statement to drivers that it would offer those affected free credit monitoring and identity theft protection.
According to Bloomberg, the breach occured when two hackers obtained login credentials to access data stored on Uber’s Amazon Web Services account. Paul Lipman, CEO of cybersecurity firm BullGuard, said that the fact that the data was being stored unencrypted was “unforgivable”.
“That’s just a complete misstep from an information security viewpoint,” he added.