Uber is only now going public about an October 2016 data breach that affected the data of Uber drivers as well as 57 million users, exposing their names, email addresses, and mobile phone numbers.
Uber’s new CEO Dara Khosrowshahi said Tuesday that he only recently learned about the incident, which Uber discovered in November 2016.
“You may be asking why we are just talking about this now, a year later,” wrote Khosrowshahi, who was hired in August. “I had the same question, so I immediately asked for a thorough investigation.”
Uber found that “two individuals outside the company” accessed user data — including the names and driver’s license numbers of 600,000 drivers in the U.S. — via a third-party cloud service.
“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed,” Uber’s CEO wrote.
According to Bloomberg, Uber paid the hackers $100,000 to delete the data and stay quiet.
No trip location history, credit card numbers or other sensitive data like Social Security numbers were downloaded by the hackers, Khosrowshahi said. Uber is now notifying drivers affected by the breach and monitoring affected user accounts with additional fraud protection. So far, Uber has found no evidence of fraud or misuse related to the breach.
However, it’s unclear why Uber didn’t alert regulatory authorities. Most states, including California, have laws that demand companies disclose data breaches when they affect local residents’ personal information.
“None of this should have happened, and I will not make excuses for it,” according to Khosrowshahi, who fired the two people who led the company’s response to the breach. That includes Uber’s chief security officer Joe Sullivan, Bloomberg says.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.
Uber did not immediately respond to a request for comment.
Why paying hackers can be problematic
The company’s decision to reportedly pay off the hackers is raising a lot of questions.
Did the hackers really delete the stolen data? Why is Uber so confident that the hackers kept their word?
“You are basically relying on the integrity of a criminal group,” said security expert Vincent Weafer, vice president of McAfee Labs.
Uber’s statement on Tuesday oddly indicates the company actually knows the hackers’ identities. But that same statement doesn’t mention anything about Uber contacting the FBI to arrest the hackers.
“It’s a very unusual case,” said Weafer, who pointed out that hackers can’t be trusted.
For instance, many businesses are experiencing ransomware attacks from cybercriminals. These attacks will hold computer systems hostage, and demand the victims pay a ransom to free them.
However, hackers have no obligation to release the computers when paid, and can often leave the computers infected, Weafer said.
“When people have paid the money, you still never know for sure if the breach has been contained or any information has been leaked,” he added. “In this case, we still don’t know enough.”
News of the breach is stirring up plenty of debate among security experts over Uber’s handling of the situation.
Why Uber decided to keep the data breach secret is another key question. Under its previous CEO, Travis Kalanick, the company gained a nasty reputation for breaking the rules, and avoiding the authorities.
The company’s new CEO, Khosrowshahi, is working to repair that reputation and making Uber more transparent. In response to the breach, he’s hired a former general counsel for the U.S. National Security Agency to help Uber improve its security teams.