Uber suffered a large-scale cyberattack in October of 2016 that exposed the confidential data of 57 million customers and drivers, according to a Bloomberg report published today. Former CEO Travis Kalanick was informed of the hack just one month after it transpired, but it was not publicly announced and in fact was concealed by Chief Security Officer Joe Sullivan and his subordinates, the report says, leading Uber to fire the executive and one of his lieutenants this week.
The company allegedly paid its hackers a $100,000 ransom to delete the data and not publicize the breach to media or regulators. “None of this should have happened, and I will not make excuses for it,” current CEO Dara Khosrowshahi, who replaced Kalanick as chief exec back in September, told Bloomberg. “We are changing the way we do business.” Uber reportedly declined to identify the attackers.
The hack included names, email addresses, and phone numbers of more than 50 million Uber riders worldwide, while more than 7 million Uber drivers had similar data exposed on top of driver’s license numbers for around 600,000 US drivers. Bloomberg says Uber, at the time of the breach, was talking with US regulators over separate privacy violations and had just settled with the Federal Trade Commission over mishandling of consumer data, leading Sullivan to spearhead a cover-up to avoid further fallout over its security and privacy practices. Uber’s board of directors initiated an investigation of Sullivan’s team last month, leading to disclosure of the hack and its concealment.
The nature of the hack is relatively straightforward, according to Bloomberg: hackers with access to a GitHub code repository used by Uber engineers were able to glean login credentials to an Amazon cloud computing server, from which the hackers stole a list of rider and driver data. They then extorted Uber for the $100,000 fee. Khosrowshahi, alongside the company’s new executive leadership, have already informed the New York attorney general and the FTC of the attack. The company also says its chief legal officer, who is leaving the company and will have a replacement starting tomorrow, was never informed of the situation.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts,” Khosrowshahi told Bloomberg. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.” Uber has brought on a former lawyer for the National Security Agency, who also served as a director for the National Counterterrorism Center, to help it buff up security. The company has also retained security firm Mandiant to further investigate the hack.