In a fresh blow for Uber, reports emerged that hackers stole names, email addresses and phone numbers of a combined 57 million customers and drivers, and were paid $100,000 to delete the data and stay quiet.
The hack, which took place in October 2016, involved lifting code from a private Github site used by Uber engineers and logging into an Amazon Web Services account that handled computing tasks for the company. From there, the hackers were able to access and steal the personal data of over 50 million customers and 7 million Uber drivers, with around 600,000 driver’s licenses accessed.
According to Bloomberg, Uber said that “no Social Security numbers, credit card details, trip details or other data were accessed.” According to state and federal laws, corporations are required to alert their customers when sensitive data breaches occur. Former chief executive officer Travis Kalanick was privy to the information a month after the hack took place, but declined to mention it after settling an unrelated lawsuit with the Federal Trade Commission regarding the handling of consumer data.
Though the $100,000 bounty to hackers was reported, Uber has yet to confirm that the ransom was paid out.
The beleaguered ride-sharing service fired chief security officer Joe Sullivan and one of his deputies for concealing information about the hack. Sullivan, a former federal prosecutor, had joined Uber from Facebook and was under scrutiny by Uber’s board of directors for various security practices.
Current Uber chief executive Dara Khosrowshahi asked for the resignation of Sullivan, saying of the situation, “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
Khosrowshahi brought in cybersecurity expert Matt Olson to further help Uber strengthen its data security teams and processes. This cyberattack puts Uber in the company of Yahoo, Equifax, Myspace and Target — brands that suffered major data breaches — and is another hit to the brand under its new chief executive, who is trying to rebuild its image after scandals under Kalanick and the loss of licensing in major cities like London.