Uber has just disclosed a security incident from late 2016 in which two hackers downloaded a “significant amount” of data, including the personal information of 57 million users. The data included names, email addresses, and mobile phone numbers.
The ride-sharing company also said the names and drivers license numbers of more than 600,000 of its drivers were acquired in the security breach. Uber has not seen any indications that trip location history, credit card numbers, bank account numbers, Social Security numbers or birthdates were downloaded by the attackers. Uber acknowledged the breach with a statement on its own website.
Uber claims it has taken a number of steps to address last year’s security failure, including monitoring affected accounts, and providing its affected drivers with free credit monitoring. The company says that it “subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
Hackers Paid Off
Bloomberg has more on the breach, including details on the destruction of that downloaded data. Uber made a $100,000 payment to the hackers to delete the data and keep the hack under wraps — and Uber’s chief security officer and another employee were subsequently fired.
Two individuals hacked Uber through a private coding site used by Uber software engineers. They took login credentials from that site and accessed data stored on a separate Amazon Web Services account. That’s where they discovered the user information, and they followed up later by asking Uber for money.
Uber believes the hackers never used the information, and the company also claims the data was deleted. But its legal issues surrounding the breach have just begun.
New York Attorney General Eric Schneiderman has already launched an investigation into the hack, and Uber has also been sued for negligence by a customer seeking class-action status, Bloomberg notes.
It’s been a tumultuous time for the company, as Uber founder Travis Kalanick resigned from his position as CEO in June. Uber has been dealing with a number of public relations issues in recent years, and an investigation into the company’s workplace culture and sexual harassment allegations led to the departure of Kalanick, among others.
This isn’t even the first major data breach for the company — 50,000 Uber driver names and license numbers were exposed in a previous data breach in 2014.
In the statement revealing the breach, new Uber CEO Dara Khosrowshahi said: “None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”