Earlier this week, Uber’s CEO Dara Khosrowshahi acknowledged in a blog that his company had suffered a hack involving the personal information of 57 million Uber users and drivers roughly one year ago.
The security breach involved two individuals outside the company, who had illegitimately accessed user data stored on a third-party cloud-based service that Uber uses. According to Khosrowshahi, the incident did not affect corporate systems or infrastructure. The company, unhappy with how the breach was handled, has fired its Chief Security Officer, Joe Sullivan, and one other employee.
The compromised information from the October 2016 attack included names, email addresses and phone numbers of 57 million Uber riders worldwide, as well as the names and driver’s license numbers of approximately 600,000 U.S. Uber drivers.
After the company executives learned of the incident in November 2016, Uber took steps to contain and prevent harm, however, regulatory authorities and affected individuals were not properly notified, and company protocol was not followed. Immediate steps were taken to secure the data and shut down further unauthorized access by the individuals, however.
In his blog, Khosrowshahi said the perpetrators were “subsequently identified and [we] obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.” Bloomberg reported that those “assurances” were obtained via a $100,000 payment to the attackers. Bloomberg has also reported that the first lawsuit against Uber regarding the incident has been filed in a Los Angeles federal court, and states that the service “failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.”
Matt Olson, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, will assist Khosrowshahi in structuring future Uber security teams and processes. Drivers whose license numbers were downloaded are being notified and provided with free credit monitoring and identity theft protection.