Uber suffered a large-scale cyberattack in October of 2016 that exposed the confidential data of 57 million customers and drivers, the company disclosed today in a statement following a damning Bloomberg report. Among Uber’s faults include not only failing to disclose the hack, but in covering it up as well. Former CEO Travis Kalanick was informed of the attack just one month after it transpired, but it was not publicly announced and in fact was concealed by Chief Security Officer Joe Sullivan and his subordinates, the report says, leading Uber to fire the executive and one of his lieutenants this week.
The company allegedly paid its hackers a $100,000 ransom to delete the data and not publicize the breach to media or regulators. “None of this should have happened, and I will not make excuses for it,” current CEO Dara Khosrowshahi, who replaced Kalanick as chief exec back in September, writes in the company’s statement. “We are changing the way we do business.” Uber reportedly declined to identify the attackers.
Uber paid its hackers a $100,000 ransom and its security chief helped cover up the hack
The hack included names, email addresses, and phone numbers of more than 50 million Uber riders worldwide, while more than 7 million Uber drivers had similar data exposed on top of driver’s license numbers for around 600,000 US drivers. Bloomberg says Uber, at the time of the breach, was talking with US regulators over separate privacy violations and had just settled with the Federal Trade Commission over mishandling of consumer data, leading Sullivan to spearhead a cover-up to avoid further fallout over its security and privacy practices. Uber’s board of directors initiated an investigation of Sullivan’s team last month, leading to disclosure of the hack and its concealment.
The nature of the hack is relatively straightforward, according to Bloomberg: hackers with access to a public GitHub code repository used by Uber engineers were able to collect private login credentials to an Amazon cloud computing server, from which the hackers stole a list of rider and driver data. They then extorted Uber for the $100,000 fee. Khosrowshahi, alongside the company’s new executive leadership, have already informed the New York attorney general and the FTC of the attack. The company also says its chief legal officer, who is leaving the company and will have a replacement starting tomorrow, was never informed of the situation. Following the disclosure, New York Attorney General Eric Schneiderman confirmed to TechCrunch that it has opened an investigation into the hack and subsequent failure to report it.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts,” Khosrowshahi explains. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.” Uber has brought on a former lawyer for the National Security Agency, who also served as a director for the National Counterterrorism Center, to help it buff up security. The company has also retained security firm Mandiant to further investigate the hack.
Update at 5:41PM ET, 11/21: Added confirmation from Uber and a link to the company’s statement on its website.
Update at 8:06PM ET, 11/21: Added confirmation that New York AG Eric Schneiderman has opened an investigation into the cyberattack and its cover up.