Uber concealed cyberattack that affected 57 million customers for over a year

Hackers stole the private data of both drivers and passengers

American ridesharing giant allegedly concealed — for over a year — a data breach that affected approximately 57 million customers, according to Bloomberg.

The data was accessed in October 2016, and included names, email addresses and phone numbers of approximately 50 million Uber passengers.

Additionally, the personal information of approximately seven million Uber drivers was also accessed, including approximately 600,000 U.S. driver’s license numbers.

Uber told Bloomberg that no “Social Security numbers, credit card details, trip location info or other data were taken.”

Former Uber CEO Travis Kalanick was made aware of the hack in November 2016 and the company ultimately paid $100,000 USD to hackers to delete the compromised data.

According to Bloomberg, hackers were able to access a private GitHub site used by Uber employees and then used login credentials obtained from an Amazon Web Services account to access an archive of passenger and driver information.

Uber also told Bloomberg that the company failed to report the breach to the appropriate state and federal authorities.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” said Dara Khosroshahi, Uber’s new CEO, in an email statement to Bloomberg. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

Uber fired Joe Sullivan, the company’s chief security officer at the time of the breach, earlier this week. Sullivan and “one of his deputies” were responsible for hiding the details of the hack, according to Bloomberg.

Uber has released a formal statement to its U.S. customers expounding on the details of the hack.

The company has hired Matt Olsen, a former general counsel of the National Security Agency and director of the National Counterterorrism Center, to “structure our security teams and processes going forward,” according to Uber’s statement.

The company said that the hack did not affect Uber’s corporate systems and infrastructure.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” said Khosroshahi, in the November 21st, 2017 statement. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Source: Bloomberg, Uber