Uber Paid Hackers to Keep Massive Data Breach Secret
Uber Technologies Inc paid hackers $100,000 to keep secret a massive breach last year that exposed the personal information of about 57 million accounts of the ride-service provider.
Discovery of the U.S. company's cover-up of the incident resulted in the firing of Uber's chief security officer and another person for their roles in keeping the hack under wraps.
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.
"None of this should have happened, and I will not make excuses for it," Khosrowshahi said.
According to Khosrowshahi, the breach occurred in October 2016 but Khosrowshahi said he had only recently learned of it.
The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and license numbers of 600,000 U.S. drivers, Khosrowshahi said.
Uber passengers need not worry as there was no evidence of fraud, while drivers whose license numbers had been stolen would be offered free identity theft protection and credit monitoring, Uber said.
Two hackers gained access to proprietary information stored on GitHub. There, the two people stole Uber's credentials for a separate cloud-services provider where they were able to download driver and rider data, the company said. The incident did not breach Uber's corporate systems or infrastructure.
The new CEO said his goal is to change Uber's ways. Uber said it informed New York's attorney general and the FTC about the October 2016 hack for the first time on Tuesday.
Uber said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week because of their role in the handling of the incident.
Khosrowshahi said on he had hired Matt Olsen, former general counsel of the U.S. National Security Agency, to restructure the company's security teams and processes. The company also hired Mandiant, a cybersecurity firm owned by FireEye Inc, to investigate the breach.
The company plans to release a statement to customers saying it has seen "no evidence of fraud or misuse tied to the incident." Uber said it will provide drivers whose licenses were compromised with free credit protection monitoring and identity theft protection.