It hasn’t been Uber’s year.
Just 10 hours ago, current CEO Dara Khosrowshahi published a blog post talking about a massive data breach that happened in October 2016, and how the company concealed it for more than a year.
According to the post, compromised data include the names and driver’s license numbers of around 600,000 drivers in the US, and some personal information of 57 million Uber users around the world.
The information includes email addresses and mobile phone numbers.
However, trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were apparently not downloaded.
This was how the hack happened, according to sources:
Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
The company had then paid the hackers US$100,000 to delete the data they took and keep the breach quiet.
Uber has also ousted Joe Sullivan, chief security officer, and one of his deputies for their roles in keeping the cyberattack under wraps.
According to Bloomberg, Sullivan was in charge of handling the response to the hack last year.
Bloomberg also reported last month “that the board commissioned an investigation into the activities of Sullivan’s security team”, and it was through this that the hack and cover-up was discovered.
Uber believes that so far, the stolen data hasn’t been used in fraud or misuse.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said.
“We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
They are currently individually notifying the drivers whose driver’s license numbers were downloaded, providing these drivers with free credit monitoring and identity theft protection, and also notifying regulatory authorities.
“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, current CEO.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
[Update, 22 Nov 9:46am] Uber Singapore has shared with us their statement on the issue:
“We are in the process of notifying various regulatory and government authorities and we expect to have ongoing discussions with them. Until we complete that process we aren’t in a position to get into any more details.”
[Update, 22 Nov 3:50pm] Uber Singapore shares with us their statement regarding the cyberattack and fraud incident:
“We have no reason to believe these two events are linked. The incident in 2016 did not breach our corporate systems or infrastructure, and our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, NRIC or dates of birth were downloaded.”