Uber admits cover up of hack exposing millions of users, reportedly paid thieves to delete data
Security chief is reportedly sacked over response to 2016 theft that new CEO admits included names, emails and mobile numbers of users around the world
Uber Technologies failed to disclose a massive breach last year that exposed the data of some 57 million users of the ride-sharing service, the company’s new chief executive officer said on Tuesday.
Discovery of the company’s handling of the incident led to the departure of two employees who led Uber’s response to the incident, said Dara Khosrowshahi, who was named CEO in August following the departure of founder Travis Kalanick.
Khosrowshahi said he had only recently learned of the matter himself.
The company’s admission that it failed to disclose the breach comes as Uber seeks to recover from a series of crises that culminated in the Kalanick’s ousting in June.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in a blog post.
According to the company’s account, two individuals downloaded data from a web-based server at another company that provided Uber with cloud computing services.
The data contained names, email addresses and mobile phone numbers of some 57 million Uber users around the world. The hackers also downloaded names and driving licence numbers of some 600,000 of the company’s US drivers, Khosrowshahi said in a blog post.
Bloomberg News reported that Uber’s chief security officer Joe Sullivan and a deputy had been ousted from the company this week because of their role in the handling of the incident. The company paid hackers US$100,000 to delete the stolen data, according to Bloomberg.
Though such payoffs are rarely discussed in public, US Federal Bureau of Investigation officials and private security companies have said in the past year that an increasing number of companies have made payments to criminal hackers who have turned to extortion.
No others are known to have suppressed breaches that required public disclosure, such as those involving protected personal information.
Sullivan, formerly the top security official at Facebook, is a former federal prosecutor and one of the most admired security executives in Silicon Valley.
Kalanick learned of the breach a month after it took place, in November 2016, as the company was in negotiations with the US Federal Trade Commission over the handling of consumer data, according to Bloomberg.
Uber representatives did not respond when asked to comment on the Bloomberg report.
The company’s failure to disclose the breach was “amateur hour”, said Chris Hoofnagle of the Berkeley Centre for Law and Technology.
“The only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach.”
“The hack and the cover up is typical Uber only caring about themselves,” said Robert Judge, an Uber driver in Pittsburgh, who said he had not heard anything from the company. “I found out through the media. Uber doesn’t get out in front of things, they hide them.”
Additional reporting by The Guardian