Summits Yellow

Uber paid hackers $100k to cover up data breach which affected 57m users

Alex Spencer

Uber covered up a 2016 data breach which affected 57m  users of its service, including paying $100,000 (£75,500) to the hackers responsible.

Uber quietly admitted to the breach yesterday, in a blog post from CEO Dara Khosrowshahi.

"I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use," Khosrowshahi said. "The incident did not breach our corporate systems or infrastructure."

Uber says  that there is no sign that financial details, dates of birth or trip location histories were stolen, but hackers did gain access to personal information on 57m Uber users, both drivers and passengers, inlcuding the driver's license numbers of 600,000 drivers in the US.

"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals," said Khosrowshahi. "We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed."

What he doesn't mention is that – as first reported by Bloomberg – Uber actually paid off these individuals once it had identified them. The two hackers were reportedly given $100,000  in order to delete the data and keep the breach quiet.

Khosrowshahi did, however, address the company's long silence on the breach, and acknowledged its wrongdoing.

"You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions."

First and foremost of these actions was the firing of the two Uber employees who handled this response – namely, according to Bloomberg,  chief security officer Joe Sullivan and senior lawyer Craig Clark.

Data breaches are nothing new – and the 57m affected pales in comparison to Yahoo's record-setting 3bn – but this is just the latest example of questionable conduct from Uber. In 2017 alone, it has faced an intellectual property lawsuit from Alphabet's self-driving car division Waymo; a UK ruling that its drivers are employees and should be treated as such; and allegations of sexual harassment and discrimination. Amidst all of these scandals, former CEO Travis Kalanick – himself the subject of a fraud lawsuit from a major Uber investor – was forced to resign his post.

Referring to the breach – though he could be addressing all the incidents that happened before his appointment, Khosrowshahi said: "None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."