Uber paid hackers US$100K to cover up data breach last year

Uber Technologies Inc has revealed it paid hackers US$100,000 (AU$132,000) ransom last year. The massive breach contained data from 50 million Uber riders and 7 million drivers around the world.

CEO Dara Khosrowshahi, who replaced Travis Kalanick in August, said he only recently learnt that the third-party cloud-based service that they use was hacked by two individuals in October 2016. The incident, he said, did not affect their corporate systems.

Nevertheless, their drivers and customers were affected. The names and driver’s licence numbers of around 600,000 were copied, as well as the personal information of both their riders and drivers, including their names, email addresses and mobile numbers. There were no indications that their social security numbers, birth dates, bank and credit card numbers, and trip location history were stolen as well.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts,” Khosrowshahi wrote.

The company paid US$100,000 to the hackers in a bid to have the data stolen deleted. The CEO did not mention what assurance they got that the breached information was indeed deleted.

Khosrowshahi said that he also questioned why the breach was disclosed only after a year. Hence, he immediately asked for a thorough investigation. It was also revealed that Uber did not notify the affected individuals or regulators of the hack.

And so in an attempt to right their wrong, Khosrowshahi said they are individually notifying their drivers about the downloaded licence numbers and providing them with free credit monitoring and identity theft protection. They are also taking advice from experts on how to best guide and structure their security teams and processes to prevent similar incidents in the future. The company are also monitoring the affected accounts and have flagged them for additional fraud protection.

“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employees that we will learn from our mistakes,” he said. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Following Uber’s revelation on Tuesday, New York Attorney General Eric Schneiderman has launched an investigation into the data breach, Bloomberg reports. Uber has also fired Joe Sullivan, the security chief who spearheaded the company’s response to the hack.

Kalanick, who was the CEO last year, learnt of the breach in November 2016, a source told Reuters. It reportedly was concluded following an investigation by a board committee that neither Kalanick nor Salle Yoo, who was the general counsel at the time, were involved in the cover-up.