Uber has admitted that hackers accessed data on 57 million of its users worldwide, as well as 600,000 US drivers, back in October 2016.
After discovering the breach, the company paid the hackers $100,000 to delete the data, and then failed to inform users or relevant authorities.
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” Uber’s recently appinted CEO Dara Khosrowshahi said in a blog post.
“The incident did not breach our corporate systems or infrastructure.”
While the company did not elaborate further, Bloomberg, which originally broke the story, claimed that the two attackers were able to access a private GitHub site used by Uber software engineers, which contained login details to Uber’s Amazon Web Services account.
There, the pair found the names and driver’s license numbers of around 600,000 US drivers, and information including names, email addresses and mobile phone numbers of 57 million Uber users. The attackers then emailed the company, asking for money.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said.
“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
To obtain those assurances, the company paid the hackers $100,000. This response was headed by chief security officer Joe Sullivan, who has now been fired along with another employee.
The breach was discovered by current CEO Khosrowshahi after the company’s board commissioned an investigation into the activities of the security team earlier this month. Bloomberg reported that previous CEO Travis Kalanick found out about the hack in November 2016, a month after it happened. The company is yet to comment on what its controversial co-founder knew, and when. Kalanick, who was ousted in June, remains on the company’s board, and recently filled two seats he controlled.
Uber said that outgoing chief legal officer Salle Yoo was not aware of the hack, but that Tony West, who starts at Uber today, had been briefed on the matter.
Now that the information is public, Uber said it is notifying affected drivers and providing them with free credit monitoring and identity theft protection, adding that it had not seen ay evidence of identity fraud. The company has also turned to Matt Olsen, co-founder of consulting firm IronNet Cybersecurity, to help restructure its security teams and processes.
Uber has notified regulatory authorities about the breach, sparking several investigations. New York Attorney General Eric Schneiderman is looking into the hack, while the UK’s Information Commissioner’s Office said in a statement: “It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.”
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”
Hours after the news was made public, Uber was sued by a customer in a class action lawsuit.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said.
A history of violations
In its pursuit of market dominance, Uber adopted an aggressive growth strategy that saw the company flout or skirt regulations across the world. The company had previously faced at least five probes by the US Justice Department, a possible ban in London, and regulatory threats in Brazil.
Of particular concern to regulators was Uber’s practice of ’greyballing’ - evading local government authorities in the United States, Australia, South Korea and China by identifying officials and denying them service.
The company also developed a software referred to as ‘Hell,’ which scraped public data on locations of cars used by its rival Lyft within the US. It developed a similar software, Surfcam, which was used on Grab, its main competitor in Southeast Asia - something that may have violated Singaporean law.
Elsewhere, Uber is facing a lawsuit from Alphabet company Waymo over allegedly stealing self-driving car technology, along with several civil suits. After a woman was raped by an Uber driver in New Dehli, senior company employees had allegedly traveled to India and obtained the victim’s medical records without seeking permission. The company then allegedly questioned her motives for reporting the crime, and implied a rival was involved in creating the story.
These mounting issues, as well as revelations of internal culture that allowed sexual harassment and discrimination, led to the departure of Kalanick earlier this year.
After Transport for London announced it would not renew Uber’s license this September, Khosrowshahi - then just a month into his job - admitted in an internal staff email that the company’s image was a problem.
“While the impulse may be to say that this is unfair, one of the lessons I’ve learned over time is that change comes from self-reflection. So it’s worth examining how we got here,” he said.
“The truth is that there is a high cost to a bad reputation. Irrespective of whether we did everything that is being said about us in London today (and to be clear, I don’t think we did), it really matters what people think of us, especially in a global business like ours, where actions in one part of the world can have serious consequences in another.”
Now, with a new CEO and a corporate shake-up in progress, Uber faces fresh challenges - among them a question of who in the company holds power. Prominent investor Benchmark is currently suing Kalanick in order to remove him from the board, as well as revoke his ability to choose other board members. That lawsuit may be dropped, should Japanese telecoms company SoftBank proceed with a planned investment in Uber that could reach $10 billion.
Trading platform and financial publication Capital suggested that Uber disclosed the breach ahead of SoftBank’s tender offer because it could be considered material to investors.