By on November 22, 2017

uber volvo

In the midst of Uber Technologies’ corporate restructuring and cultivation of a squeaky-clean new image, the ride-hailing company was apparently hiding a dark secret. Striving for transparency, the company has now confessed that hackers stole the personal information of 57 million customers and drivers in October of 2016.

The coverup, apparently conducted by the firm’s chief security officer and another staff member, involved over $100,000 in payments to the hackers in the hopes to keep them quiet. The data lost included names, email addresses, and phone numbers of around 50 million Uber riders across the globe. Another 7 million drivers were also subjected to the digital attack, with over half a million of those losing their driver’s license numbers. 

In an interview with Bloomberg, Uber claims that no Social Security numbers or credit card information was lost during the original incident. But it also confessed that it ignored its legal obligation to come forward about the nature of the attack and shouldn’t have paid hackers to delete the stolen data and keep the event secret.

“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, Uber’s chief executive officer since September, said in a statement. “We are changing the way we do business.”

While large companies losing customer data to digital criminals is nothing new, Uber going so far out of its way to ensure a coverup is alarming. Travis Kalanick, Uber’s co-founder and former CEO, appears to have learned of the hack in November 2016, one month after it took place. At the time, Uber had only just settled a lawsuit with the New York attorney general over data security disclosures, and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data.

Joe Sullivan, the outgoing security chief, headed the response to the hack last year, according to a company spokesperson. The company’s board has been particularly interested in Sullivan’s decisions since 2015 and had hired a law firm to conduct an investigation into his doings earlier this fall. According to the company, that investigation is what uncovered the hacking and subsequent coverup.

From Bloomberg:

Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

A patchwork of state and federal laws require companies to alert people and government agencies when sensitive data breaches occur. Uber said it was obligated to report the hack of driver’s license information and failed to do so.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

After Uber’s confession, New York Attorney General Eric Schneiderman launched a secondary investigation into the hack. Meanwhile, U.K. regulators, including the National Crime Agency, are launching probes of their own. The company is also being sued for negligence over the breach by consumers seeking class-action status.

Khosrowshahi maintains that Uber is still on its mission of self-improvement. Under the previous CEO, the business became infamous for ignoring regulatory mandates and promoting a highly aggressive corporate culture that thrived on competitiveness. The current leadership says those days are over and wants to remove all the old skeletons from the company closet.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.

Get the latest TTAC e-Newsletter!

Recommended

14 Comments on “Uber Paid Hackers to Delete the Stolen Data of 57 Million People...”


  • avatar
    Kyree S. Williams

    Why would you put your credentials in the GitHub repository? That’s just silly.

  • avatar
    asapuntz

    > a private GitHub coding site

    sounds like a github server on uber’s intranet, not github.com ?

  • avatar
    Corollaman

    paying off hackers, what a brilliant idea!

    • 0 avatar
      Urlik

      Cetainly cheaper and better for the consumers than a year of credit monitoring and an apology.

      • 0 avatar
        ClutchCarGo

        Let’s be clear, all that the payoff was for was to silence the hackers. The stolen data was not “deleted”. Despite what Uber claims about “No evidence that the stolen data has been used”, the data is still out there in someone’s hands.

    • 0 avatar
      rpn453

      It is the proper solution. I’m sure Uber’s lawyers got together with the hacker’s lawyers and they came up with a legally enforceable contract. It’s impossible to copy such a large amount of information without an entire building full of secretaries and typewriters, so as long as the information was returned to Uber, they can be sure that nobody else will have possession of any of it in the future.

  • avatar
    stuki

    As long as people keep handing over personally identifying information to others, others will continue to get hold of their personally identifying information. Pretending some imaginary “good others” can and will prevent equally imaginary “bad others” from getting the data, is as pathetic as the belief that “our government” is somehow better than all the other ones which are “bad”. Just plain silly.

    The only meaningful solution to this kind of problem, is to build payment systems that resemble digital cash. Instead of schemes that require personally identifiable information that can be used to trace and track you, as well as provide the holders a link to other aspects of your life and resources. Just non identifying cash. Untraceable, irrevocable, non divulging cash.

  • avatar
    I_like_stuff

    100% autonomous cars operated by the likes of Uber?

    WHAT COULD POSSIBLY GO WRONG? LOL

    I can’t wait until the hackers start hacking autonomous cars. You want to go to Boston, you end up in Baltimore instead. Hilarity ensues. Maybe we could make a reality TV show out of it…When Uber Rides Go Bad.

  • avatar
    Corollaman

    Terrorist hackers turning autonomous vehicles into people mowing machines

  • avatar
    Flipper35

    I think it would be news if this kind of thing didn’t happen at Uber at this point in time.


Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • geozinger: Fnck. I’ve lost lots of cars to the tinworm. I had a 97 Cavalier that I ran up to 265000 miles. The...
  • jh26036: Who is paying $55k for a CTR? Plenty are going before the $35k sticker.
  • JimZ: Since that’s not going to happen, why should I waste any time on your nonsensical what-if?
  • JimZ: Funny, Jim Hackett said basically the same thing yesterday and people were flinging crap left and right.
  • JimZ: That and the fact that they could run on gasoline, which was considered a useless waste product back in the...

New Car Research

Get a Free Dealer Quote

Staff

  • Contributors

  • Timothy Cain, Canada
  • Matthew Guy, Canada
  • Ronnie Schreiber, United States
  • Bozi Tatarevic, United States
  • Chris Tonn, United States
  • Corey Lewis, United States
  • Mark Baruth, United States
  • Moderators

  • Adam Tonge, United States
  • Corey Lewis, United States