Uber paid hackers to conceal massive data breach
Image credit: reuters
Uber has admitted that it suffered a data breach in 2016 that saw the personal information of 57 million users and drivers stolen.
The company later paid the hackers $100,000 (£75,500) to delete the data and keep the breach secret.
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” the taxi-hailing company’s chief executive Dara Khosrowshah said in a blog post. “The incident did not breach our corporate systems or infrastructure.”
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.”
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” he added.
“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
The data was stored in the third-party cloud-based service Github before it was deleted.
The failure to reveal the breach to the public and pay off the hackers is seen as an attempt to keep the incident under wraps from the public.
Uber said it was providing drivers with free credit monitoring and identity theft protection in case the data was used inappropriately but won’t offer the same service to users.
Former general counsel of the US National Security Agency Matt Olsen has been brought in to restructure the company’s security teams and processes. The company also hired Mandiant, a cybersecurity firm owned by FireEye to investigate the breach.
Uber has a history of failing to protect driver and passenger data. Hackers previously stole information about Uber drivers and the company acknowledged in 2014 that its employees had used a software tool called “God View” to track passengers.
In October a security researcher discovered that Uber’s iPhone app was given unprecedented access to iOS user information, allowing it to record a user’s screen without their knowledge – functionality that’s supposed to be kept off-limits to anyone but Apple.