Uber's CEO Dara Khosrowshahi today revealed hackers broke into the ride-hailing app's databases and stole personal information on 57 million passengers and drivers – information including names, email addresses, and phone numbers.
And the cyber-thieves made off with 600,000 US driver records that included their license numbers.
And the hack happened in 2016 – yet, biz executives hushed up the break-in rather than alert the public.
In a statement on Tuesday, Khosrowshahi said the intruders accessed cloud-hosted data stores:
I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.
At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.
You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.
"Obtained assurances" is a funny way of putting it.
No doubt this is what the chief exec discovered from that probe of his: in October 2016, two miscreants snatched from the app biz's GitHub code repo the keys needed to access its AWS S3 data stores containing the aforementioned personal information, Bloomberg reports. The hackers then demanded $100,000 from Uber in exchange for their silence and to destroy all their swiped copies of the records.
Rather than warn state and federal authorities of the personal data theft, as is required by the California upstart, Uber's chief of information security Joe Sullivan ordered that the crooks be paid off, the stolen files erased, and the whole thing hushed up, leaving riders and drivers none the wiser. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed.
Sullivan, previously a federal prosecutor, and one of his lieutenants were ousted from the company as a result of the new CEO's investigation, we're told. Khosrowshahi, who was installed at the San Francisco-based upstart over the summer, said steps have now been taken to ensure this kind of coverup is never repeated, and that security breaches will be disclosed in public in future as required:
While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.
The top boss was adamant that “outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.” He added that the company was monitoring the affected accounts, and has flagged them for “additional fraud protection.” Anyone affected by the hack will be notified, he said.
It's worth pointing out that while the company is now alerting the authorities, California's data security breach notification law requires disclosure in “the most expedient time possible and without unreasonable delay.” Ie, not 12 months later.
As well as trouble potentially brewing in Cali over the hush up, New York Attorney General Eric Schneiderman has also launched an investigation into Uber's cockup – by our reckoning, perhaps only the fifth worst thing the controversial bad-boy biz has done over the past year. ®