Uber Technologies executives concealed a data breach, which compromised the information of 57 million accounts, for more than a year, the San Francisco ride-hailing company said on Tuesday. This concealment effort reportedly included a $100,000 payout to the hackers in exchange for their silence about the incident.
That hack, which occurred in October 2016, exposed users’ names, email addresses, and phone numbers, as well as the names and driver's license numbers of 600,000 drivers. Users from around the world were affected, the company said, adding that it had not detected any theft of trip location history, credit card numbers, bank account numbers, Social Security numbers, or birthdates.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” CEO Dara Khosrowshahi said in a statement. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
Khosrowshahi, who assumed the role of Uber CEO in August, also implied he was only just learning of the hack, writing, "You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation."
In a year marked by public protest, internal strife, and the ousting of former CEO Travis Kalanick, the revelation that Uber executives concealed a data breach for more than a year will do little to bolster the company’s reputation with customers. According to Bloomberg News, which first reported the story, the company ousted Chief Security Officer Joe Sullivan and one of his deputies over the incident. Kalanick, who currently sits on Uber's board, also reportedly knew about the hack.
A spokesperson for Kalanick declined to comment.
On Tuesday, a spokesperson for the New York Attorney General's office told BuzzFeed News that it was opening an investigation into the data breach.
The company advised riders that no action needed to be taken in light of the breach. As for drivers, Uber said it would be notifying those affected by mail or email offering them free credit monitoring and identity theft protection.
“We have seen no evidence of fraud or misuse tied to the incident,” the company said in a statement. “We are monitoring the affected accounts and have flagged them for additional fraud protection.”
Uber, which is currently the subject of several federal probes and numerous civil suits, said it has now notified regulatory authorities and consulted former National Security Agency general counsel Matt Olsen on how to restructure its security team. The company did not say if it had hired anyone to replace Sullivan.
Sullivan, a former federal prosecutor and a big name hire from Facebook, joined Uber in 2015 and recently advised former President Barack Obama as part of a commission to enhance national cybersecurity. In August, presumably after knowing about and trying to cover up Uber's data breach, he shared a blog post on Twitter on using technology to protect users' accounts.
Following a 2015 incident in which the company was found to have stored the information of 50,000 drivers on a public coding site, the company unveiled a bug bounty program in March 2016. That program offered up to $10,000 for critical vulnerabilities.
Uber, which spoke to Bloomberg, told the outlet that two attackers attacked a private site used by the company's engineers to store and access code in October 2016. The hackers used the credentials from that site to obtain data from an Amazon Web Services account that contained a rider and driver information. The unnamed assailants then disclosed their exploits to Uber the following November and were paid a ransom.
The story was updated with information that the New York Attorney General's office is opening an investigation into Uber's data breach.