Uber paid to hide a data breach that revealed sensitive information on 57 million users, leading to the dismissal of Chief Security Officer Joe Sullivan.
The breach took place in October 2016 and revealed names, email addresses, phone numbers and U.S. driver’s license numbers. Social Security numbers, location data and payment data was not accessed, Uber said. The company paid the hackers $100,000 to stay quiet and delete the data. Uber has not revealed the identities of the hackers.
The breach and the payment to hackers was first reported by Bloomberg. New York Attorney General Eric Schneiderman is investigating the hack.
According to the report, hackers first breached the ridesharing company through an Uber-owned GitHub account. They found more credentials there, including usernames and passwords to an Amazon Web Services account that held rider and driver information. With the information in hand, they demanded money from the company.
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” Uber’s CEO Dara Khosrowshahi Khosrowshahi said in a release. “The incident did not breach our corporate systems or infrastructure.”
Sullivan’s deputy, Craig Clark, has also been fired. Clark, a senior lawyer who reported to Sullivan, helped lead the incident response to the hack.
“None of this should have happened, and I will not make excuses for it,” Uber’s CEO Dara Khosrowshahi said in a release. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Khosrowshahi was appointed Uber CEO in September after co-founder Travis Kalanick resigned amid a flurry of criticism surrounding prolific sexual harassment issues and systemic company issues that came to public light.
Kalanick knew of the breach by November 2016, when he was still CEO but did nothing to notify regulators and users despite a legal obligation to do so.
Khosrowshahi said he’s brought on Matt Olsen, former general counsel of the National Security Agency and director of the National Counterterrorism Center, to “help me think through how best to guide and structure our security teams and processes going forward.”
The breach is not the first the ridesharing company has dealt with. In 2014, it publicly disclosed a major breach of personal data from nearly 110,000 drivers — including names, postal and email addresses, social security and driver’s license numbers.