Hackers accessed data belonging to 57 million Uber riders and drivers in late 2016, including email addresses, phone numbers, and drivers license numbers. Instead of disclosing the breach, Uber paid $100,000 to the hackers in exchange for their silence. The secret payment ultimately cost several Uber security executives their jobs.
Joe Sullivan, Uber’s chief security officer, and Craig Clark, a lawyer who reported to him, were fired because of the handling of the incident, Bloomberg reported. Sullivan previously worked on security at Facebook before joining Uber in 2015 and had been credited with tightening Uber’s security as the company matured.
Hackers were able to access the user data on an Amazon Web Services account and managed to scrape names and email addresses for millions of users. The breach also included 600,000 license numbers for drivers in the US. No Social Security numbers or location information was stolen, and the hackers agreed to delete the data in exchange for the payment—although it’s unclear how Sullivan or Uber verified that the hackers did indeed delete it.
“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it,” Uber’s new CEO, Dara Khosrowshahi, said in a statement.
In an attempt to make things right, Uber is offering drivers free credit monitoring and identity theft protection, and Uber says it is notifying regulatory authorities. At the time of the 2016 incident, Uber was negotiating with the Federal Trade Commission to resolve privacy issues related to a 2014 breach.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers,” Khosrowshahi added.
Uber says that riders don’t need to take any action and that it is monitoring the affected accounts for fraudulent activity.