Over a year ago, hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc. The breach was concealed it until this week when the company ousted Chief Security Officer Joe Sullivan and one of his deputies for their roles in keeping the hack quiet.
According to Bloomberg, the breach from October 2016 included names, emails, and phone numbers of 50 million Uber users around the world. Additionally, the personal information of around 7 million Uber drivers was accessed, including 600,000 U.S. driver’s license numbers. Luckily, no Social Security numbers, credit card details, trip location info, or other data were taken. Instead of immediately reporting the hack, the ride-hailing company paid off the hackers to the tune of $100,000 to delete the data and keep the breach under wraps. Uber claimed that the information was never used, but they refused to disclose the identities of the hackers.
What is so alarming about this attack is not the size. For comparison, the Equifax breach affected 143 million people, nearly half of U.S. consumers. So, while the Uber breach dwarfs other attacks, their decision to hide the hack makes it a troubling case. Travis Kalanick, Uber’s co-founder and former CEO, apparently learned about the hack only a month after it happened. However, at the same time, the company had just settled a lawsuit with the New York attorney general over data security disclosures. Additionally, they were in the process of negotiating the handling of consumer data with the Federal Trade Commission.
But how did this hack happen in the first place? Two attackers gained access to a private GitHub coding site used by Uber software engineers. Using data and login credentials found there, the hackers were able to gain access to Uber’s data stored on an Amazon Web Services account. From there, it wasn’t long before they discovered an archive of rider and driver information. Finally, the asked Uber for money. At the time, Joe Sullivan, who joined Uber in 2015, was in charge of handling the attack.
Last month, Uber’s board commissioned a full investigation into Sullivan’s security team and their actions. It was this investigation by an outside firm that uncovered the hack and its cover-up. It’s unclear what will happen next for Uber after their already tough year in the spotlight. According to Bloomberg, Dara Khosrowshahi, the current CEO, said in an email statement, “None of this should have happened, and I will not make excuses for it … We are changing the way we do business.”