Uber is in headlines once again—this time for concealing last year’s data breach that exposed personal data of 57 million customers and drivers.
On Tuesday, Uber announced that the company suffered a massive data breach in October 2016 that exposed names, e-mail addresses and phone numbers of 57 million Uber riders and drivers along with driver license numbers of around 600,000 drivers.
However, instead of disclosing the breach, the company paid $100,000 in ransom to the two hackers who had access to the data in exchange for keeping the incident secret and deleting the information, according to a report published by Bloomberg.
Uber said none of its own systems were breached, rather two individuals outside the company inappropriately accessed and downloaded 57 million Uber riders’ and drivers’ data that was stored on a third-party cloud-based service.
The cyberattack exposed the names and driver license numbers of some 600,000 drivers in the United States, and the names, emails, and mobile phone numbers of around 57 million Uber users worldwide, which included drivers as well.
However, the company said other personal details, such as trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth, were not accessed in the attack.
Bloomberg reported that Joe Sullivan, Uber’s chief security officer, is no longer with the company. Uber would not confirm to CNNMoney which individuals had left the company.
Now Uber CEO Dara Khosrowshahi has reportedly asked for the resignation of Uber Chief Security Officer Joe Sullivan, and one of his deputies, Craig Clark, who worked to keep the attack quiet.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said in the statement.
“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts,” he said.
Uber did not say how hackers assured the company the stolen data was destroyed, but it did confirm that $100,000 was paid to the hackers.
According to the company, no location history, credit card numbers, Social Security numbers, or dates of birth were downloaded in the hack. Uber said it is providing free credit monitoring to drivers who had their license numbers exposed.
IT Security Professional – Security Researcher & Consultant for the Government, Enthusiast, Malware Analyst, Penetration Tester.