SAN FRANCISCO—Hackers stole the personal data of 57 million customers and drivers from Uber, the company reported Tuesday, adding that it concealed the massive breach for more than a year.
Uber has fired its chief security officer and one of his deputies for their roles in hiding the breach—including a $100,000 payment to the hackers, Bloomberg reported.
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about seven million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber told Bloomberg.
“At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers,” Bloomberg reported.
“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who took over as chief executive officer in September, told Bloomberg. “We are changing the way we do business.”
Following the Uber’s announcement of the breach, New York Attorney General Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy Spitalnick told Bloomberg.
Travis Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data, Bloomberg reported.
Bloomberg explained that two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company, Bloomberg said.