Uber revealed Tuesday that it had suffered a breach in 2016 that exposed personal information belonging to tens of millions of drivers and customers, adding to a growing list of scandals that have plagued the ride-hailing company this year.
Travis Kalanick, Uber’s co-founder and former chief executive, became aware of the breach a month after it occurred, according to Bloomberg. Instead of reporting the attack to regulators and victims last year, the company paid hackers $100,000 to delete the data and keep the security breach under wraps, Bloomberg reported.
Kalanick declined to comment, his spokesperson said.
The users’ personal information was accessed by two individuals via “a third-party cloud-based service” that Uber uses, and those individuals are no longer with the firm, according to the statement Tuesday.
According to Bloomberg:
“Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information.”
After the company learned of the breach, it took steps to prevent further access to the information, Khosrowshahi said in his statement.
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” he said.
Uber waited until this week to inform New York’s attorney general and the Federal Trade Commission, the nation’s top consumer watchdog, about the hack, Bloomberg reported.
The hack is the latest in a series of massive breaches that raise serious questions about companies’ ability to keep customer data safe in the digital age. In October Yahoo disclosed that 3 billion of its user accounts were affected by a breach. In September the credit bureau Equifax had disclosed that the information of up to 145.5 million consumers may have been compromised. And now Uber’s revelation arrives during a pivotal period for the tech company, which is struggling to repair its reputation.
“As a security practitioner, my first thought on hearing about this breach was ‘oh, no, not again!’ It seems like we’re experiencing these large-scale breaches on a weekly basis,” said Paul Lipman, chief executive of BullGuard, a security firm.
For their role in keeping the breach quiet, Uber removed Joe Sullivan, the company’s chief security officer, as well as a deputy who worked with him, according to Bloomberg.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in the statement.
“I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward,” he added.
“They’ve enjoyed tremendous success, but it’s come at a significant cost,” said Arun Sundararajan, professor at New York University’s Stern School of Business. “It’s important that they don’t lose sight of the fact that there’s important work to be done to justify their extremely high valuation and the tremendous amount of private venture capital they’ve raised pre IPO.”