By on November 22, 2017

uber volvo

In the midst of Uber Technologies’ corporate restructuring and cultivation of a squeaky-clean new image, the ride-hailing company was apparently hiding a dark secret. Striving for transparency, the company has now confessed that hackers stole the personal information of 57 million customers and drivers in October of 2016.

The coverup, apparently conducted by the firm’s chief security officer and another staff member, involved over $100,000 in payments to the hackers in the hopes to keep them quiet. The data lost included names, email addresses, and phone numbers of around 50 million Uber riders across the globe. Another 7 million drivers were also subjected to the digital attack, with over half a million of those losing their driver’s license numbers. 

In an interview with Bloomberg, Uber claims that no Social Security numbers or credit card information was lost during the original incident. But it also confessed that it ignored its legal obligation to come forward about the nature of the attack and shouldn’t have paid hackers to delete the stolen data and keep the event secret.

“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, Uber’s chief executive officer since September, said in a statement. “We are changing the way we do business.”

While large companies losing customer data to digital criminals is nothing new, Uber going so far out of its way to ensure a coverup is alarming. Travis Kalanick, Uber’s co-founder and former CEO, appears to have learned of the hack in November 2016, one month after it took place. At the time, Uber had only just settled a lawsuit with the New York attorney general over data security disclosures, and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data.

Joe Sullivan, the outgoing security chief, headed the response to the hack last year, according to a company spokesperson. The company’s board has been particularly interested in Sullivan’s decisions since 2015 and had hired a law firm to conduct an investigation into his doings earlier this fall. According to the company, that investigation is what uncovered the hacking and subsequent coverup.

From Bloomberg:

Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

A patchwork of state and federal laws require companies to alert people and government agencies when sensitive data breaches occur. Uber said it was obligated to report the hack of driver’s license information and failed to do so.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

After Uber’s confession, New York Attorney General Eric Schneiderman launched a secondary investigation into the hack. Meanwhile, U.K. regulators, including the National Crime Agency, are launching probes of their own. The company is also being sued for negligence over the breach by consumers seeking class-action status.

Khosrowshahi maintains that Uber is still on its mission of self-improvement. Under the previous CEO, the business became infamous for ignoring regulatory mandates and promoting a highly aggressive corporate culture that thrived on competitiveness. The current leadership says those days are over and wants to remove all the old skeletons from the company closet.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.

Get the latest TTAC e-Newsletter!

14 Comments on “Uber Paid Hackers to Delete the Stolen Data of 57 Million People...”

  • avatar
    Kyree S. Williams

    Why would you put your credentials in the GitHub repository? That’s just silly.

  • avatar

    > a private GitHub coding site

    sounds like a github server on uber’s intranet, not ?

  • avatar

    paying off hackers, what a brilliant idea!

    • 0 avatar

      Cetainly cheaper and better for the consumers than a year of credit monitoring and an apology.

      • 0 avatar

        Let’s be clear, all that the payoff was for was to silence the hackers. The stolen data was not “deleted”. Despite what Uber claims about “No evidence that the stolen data has been used”, the data is still out there in someone’s hands.

    • 0 avatar

      It is the proper solution. I’m sure Uber’s lawyers got together with the hacker’s lawyers and they came up with a legally enforceable contract. It’s impossible to copy such a large amount of information without an entire building full of secretaries and typewriters, so as long as the information was returned to Uber, they can be sure that nobody else will have possession of any of it in the future.

  • avatar

    As long as people keep handing over personally identifying information to others, others will continue to get hold of their personally identifying information. Pretending some imaginary “good others” can and will prevent equally imaginary “bad others” from getting the data, is as pathetic as the belief that “our government” is somehow better than all the other ones which are “bad”. Just plain silly.

    The only meaningful solution to this kind of problem, is to build payment systems that resemble digital cash. Instead of schemes that require personally identifiable information that can be used to trace and track you, as well as provide the holders a link to other aspects of your life and resources. Just non identifying cash. Untraceable, irrevocable, non divulging cash.

  • avatar

    100% autonomous cars operated by the likes of Uber?


    I can’t wait until the hackers start hacking autonomous cars. You want to go to Boston, you end up in Baltimore instead. Hilarity ensues. Maybe we could make a reality TV show out of it…When Uber Rides Go Bad.

  • avatar

    Terrorist hackers turning autonomous vehicles into people mowing machines

  • avatar

    I think it would be news if this kind of thing didn’t happen at Uber at this point in time.

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • JMII: Things that make sense as an EV: your typical, daily commuter vehicle. Things that make NO sense as an EV: an RV
  • 28-Cars-Later: How so?
  • MRF 95 T-Bird: As well as Henry Ford II and Lee Iacocca on the Nixon tapes trying to postpone or gut auto safety...
  • tane94: The flush door handles were an AMC design cue on many models, always gave the side panels a nice streamlined...
  • 28-Cars-Later: Like its destruction.

New Car Research

Get a Free Dealer Quote

Who We Are

  • Adam Tonge
  • Bozi Tatarevic
  • Corey Lewis
  • Jo Borras
  • Mark Baruth
  • Ronnie Schreiber