Uber covered up a hack that compromised 57 million accounts

Uber has revealed that, in late 2016, two hackers stole email addresses and phone numbers from Uber rider accounts, and the license numbers from U.S. driver accounts. Uber claims no credit card information, location data, or social security numbers were compromised. Yet, instead of disclosing the attack when it happened, Uber paid the hackers $100,000 to delete the data and keep it quiet.

From Bloomberg:

Uber said it believes the information was never used but declined to disclose the identities of the attackers."None of this should have happened, and I will not make excuses for it," Dara Khosrowshahi, who took over as chief executive officer in September, said in an emailed statement. "We are changing the way we do business."

Uber's co-founder and former CEO, Travis Kalanick, learned of the attack a year ago.

Here's how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

The company claims it took steps to lock down its data and prevent any further unauthorized access.

Khosrowshahi has fired chief security officer Joe Sullivan and Craig Clark, a senior lawyer that reported to Sullivan.

Uber (opens in new tab) as also posted a statement to its company website which, along with an apology, reads:

You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions:

  • I've asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
  • We are individually notifying the drivers whose driver's license numbers were downloaded.
  • We are providing these drivers with free credit monitoring and identity theft protection.
  • We are notifying regulatory authorities.
  • While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.

This is a complete and utter cluster. The breach was bad enough. The cover-up, a potential show-stopper.

Uber was at the forefront of a logistical revolution. They completely transformed the way people arranged for, paid for, and engaged with transportation services. But under its original leadership, it also accumulated a startling number of scandals. And the number of times it violated customer trust and good faith is staggering. This is just the garbage cherry on top of the unacceptable sundae.

If the new leadership had a lot of rebuilding to do before, it has even more now. The question is, how many of us will give them yet another chance?

How to delete your Uber account

Rene Ritchie has been covering the personal technology industry for almost a decade. Editorial Director at Mobile Nations, analyst at iMore, video and podcast host, you can follow him @reneritchie on [Snapchat](https://www.snapchat.com/add/reneritchie), [Instagram](https://instagram.com/reneritchie), or [Twitter](https://twitter.com/reneritchie).
  • Huh.... UBER covering up a huge data breach, no surprise there.
  • And they believed the hackers would actually delete the data after receiving the $100,000? Give me a break. More likely the 100k was for them not to make it public but I bet they still have the information.
  • There's a saying, who knows if it's true... "No data is ever truly deleted once it hits the cloud".
  • Seems like the hackers could have gotten a lot more than $100,000 for 57 million accounts.
  • Man, Uber really are a scummy company.
  • I deleted my account late last year, but did use Uber while out in the Bay Area. The service was awesome. Too bad senior management had so many fuckups like this. Is anyone still using Uber? **** like this guarantees I never will again...
  • Switched to Lyft due to all the bad news surrounding Uber.
  • Deleting my account now.
  • That company literally does nothing good.
  • If so many multiple national companies can be hacked what are all the security and malware apps and packages that are used on our phones and computers really worth? And if they pay up and keep quiet about it until they're found out then how can we ever trust them again?