Uber Technologies admitted on Tuesday that it failed to disclose a massive cyber breach last year that exposed the data of more than 57 million people, including customers and drivers.
Discovery of the concealment led to the departure of two executives who led Uber’s response to the hacking incident, Reuters reports, citing Dara Khosrowshahi, the ride-hailing services firm’s new chief executive.
Khosrowshahi, who was named CEO in August following the departure of founder Travis Kalanick, said he had only recently learned of the matter himself.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi was quoted as saying in a blog post.
According to the firm, two individuals downloaded data from a web-based server at another company that provided Uber with cloud-computing services.
The data contained names, email addresses and mobile phone numbers of about 57 million Uber users around the world. The hackers also downloaded names and driver’s license numbers of some 600,000 of Uber’s US drivers.
More sensitive information such as social security numbers, credit card information, trip location details, and birth dates, had not been compromised, according to the company.
Uber confirmed it had paid the hackers US$100,000 to delete the data and keep the breach quiet, news that was first reported by Bloomberg.
The company’s chief security officer Joe Sullivan, and a key senior deputy to the Sullivan, were ousted this week for their role in hiding the data breach.
According to Bloomberg, the breach occurred when two attackers obtained login credentials to access data stored on Uber’s Amazon Web Services account, and they discovered an archive of rider and driver information. Later, they emailed Uber asking for money.
Uber did not report the incident to regulators or affected customers, but instead paid hackers to delete the data and keep the breach quiet.
Uber said it believes the information that was leaked was never used, but declined to disclose the identities of the attackers, Bloomberg reported.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi was quoted a saying in a statement.
The company had obtained assurances that the downloaded data had been destroyed, the CEO said.
The hack and subsequent concealment are just the latest in a string of scandals and crises Khosrowshahi inherits from his predecessor, Kalanick.
According to the company, Kalanick learned of the hack in November 2016.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.
– Contact us at [email protected]