Fifty-seven million customers’ and drivers’ personal data was stolen from Uber Technologies Inc in an October 2016 attack. The data includes names, email addresses and phone numbers of Uber riders around the world, plus the personal information of roughly 7 million drivers. Uber reports that no Social Security numbers, credit card information, trip location details or other data were taken.
This week, the ride-hailing company fired its chief security officer and one of his deputies for their roles in keeping the hack quiet, including a $100,000 payment to the attackers to delete the data, Bloomberg reports. Uber says it believes the stolen information was never used.
Following the company’s disclosure of the breach Tuesday, New York Attorney General Eric Schneider launched an investigation into the hack, and the company was also sued for negligence over the breach.
The breach involved two attackers accessing a private coding site used by Uber software engineers and using login credentials obtained there to access data stored on an Amazon Web Services account. From there, the hackers found cloud-stored rider and driver information, later emailing Uber asking for money, the company reported. Uber said it was obligated to report the hack of driver’s license information and failed to do so.
The company did, however, take immediate steps to secure the data and thwart further unauthorized access by those individuals, as well as implementing security measures to restrict access and strengthen controls on cloud-based storage, says Dara Khosrowshahi, who took over as CEO in September.
“None of this should have happened, and I will not make excuses for it,” said Khosrowshahi in an emailed statement. “We are changing the way we do business.”
The breach and subsequent failure to disclose are only part of a recent spate of scandals to hit Uber in the past year, including many executive shake-ups.
According to Jonathan Sander, Vice President, STEALTHbits Technologies: “The attention in this newly revealed Uber breach will likely focus on how it was covered up and the executive suite drama that haunts Uber. But none of that is surprising. People in power often act to cover up their mistakes and Uber executive drama is cliché at this point. What is constantly shocking to me is that people continue to make the same mistakes over and over when it comes to security. This happened because of reused credentials, poorly secured sensitive information left in the wrong place, and a lack of discipline in access control that led to the developers having piles of user data to be stolen. Security pros would have flipped out with any one of those in play – and you can imagine exasperated security folks at Uber talking themselves blue in the face about it. But despite this security drama playing out over and over, the only drama people tune into is the executive suite’s machinations.”
However, Ryan Wilk, Vice President of Customer Success for NuData Security (a Mastercard company), sees a silver lining in Uber’s response: "While the news of the Uber breach is never something you want to hear, it is refreshing to see a company taking such quick and decisive action to earn back the consumers trust. Uber CEO Dara Khosrowshahi’s statement that there is no excuse for what happened and that Uber will be putting integrity and trust at the core of every business decision is a welcome message."