Uber has confirmed that the company concealed a hack in 2016 that affected 57 million customers and drivers, and paid hackers $100,000 (£75,000) to delete the data.
According to Uber, 600,000 drivers had their names and licence details exposed. Within that number, the hackers found 57 million names, email addresses and mobile phone numbers. A resource page for those affected has been set up.
The company’s former chief executive Travis Kalanick was aware of the breach over a year ago, according to Bloomberg, which first broke the news.
Drivers have been offered free credit monitoring protection, but according to Uber’s statement, affected customers will not be given the same.
Uber’s chief executive Dara Khosrowshahi said,
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,”
“None of this should have happened, and I will not make excuses for it,”
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
In the wake of the news, Uber’s chief security officer Joe Sullivan has left the company.
Uber did not confirm precise details of the hack – and it is not known which countries were affected – but according to Bloomberg’s report, two hackers were able to access a private area of Github, an online resource for developers. From there it is understood they found Uber’s log-in credentials to Amazon Web Services.
In January, Uber was fined $20,000 for failing to disclose a considerably less serious breach in 2014.
As is often the case, it will likely be the cover up that proves more troublesome for Uber than the hack itself. Companies are required to disclose significant data breaches to regulators, something it has by its own admission failed to do in this case.
The UK’s Information Commissioner’s Officer (ICO) has “huge concerns about Uber’s data policies and ethics” following the breach and Deputy commissioner James Dipple-Johnson said these actions were unacceptable.
“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,”
“If UK citizens were affected, then we should have been notified so that we could assess and verify the impact on people whose data was exposed.”
He said the ICO would work with the National Cyber Security Centre (NCSC) to determine the scale of the breach and how it affected people in the UK, as well considering the next steps that Uber needed to take to comply “with its data protection obligations”.
Next year, EU countries will radically alter data protection laws to offer consumers greater control over the data they share with companies.
The General Data Protection Regulation (GDPR) aims to impose huge fines on companies that conceal data breaches. Under the new rules, companies have to notify data regulators about a breach within 72 hours of becoming aware of a hack. They face fines of 4% of their global annual turnover or 20 million euros (£18m), whichever is higher, if they are found to be in breach of the regulations.