Hackers stole personal data for more than 57 million Uber customers and drivers in 2016. This was one of the biggest data breaches that took place in 2016 and it’s likely you never heard about it until now. That’s because Uber responded by paying the hackers $100,000 to keep the breach quiet and to delete the data.
This week, Uber relieved the chief of security and someone under his command of their duties and for their part in keeping the hack quiet from the public. This also included their part in paying $100,000 to the hackers so that the public data would remain private.
The data found to be comprised in the attack which occurred in October 2016 included full names, phone numbers, and email addresses. The breach involved the information of more than 50 million Uber users around the world. An additional 7 million people had their data accessed also, including around 600,000 U.S. driver’s license numbers. Uber stated to Bloomberg that no social security card details were accessed. Hackers also had no access to trip details or other data.
Based on reports, the data was stored in an Amazon Web Services account. The hackers gained access when they recovered the login details of a private GitHub, which is used by Uber employees.
Despite not originally informing anyone of the hack, Uber now believes that they have a legal obligation to inform those who might have been affected by the data breach, especially those who had their license numbers taken. While Uber paid to keep the hackers quiet and delete the data, now that they are disclosing they have declined to reveal the identities of those responsible.
Dara Khosrowshahi, Uber’s chief executive officer, wrote in a statement, “None of this should have happened, and I will not make excuses for it.” She went on to say, “We are changing the way we do business.”
While the employees responsible for not reporting the breach have been let go, Uber may still be responsible and in violation for the way things were handled. Data breach disclosure laws may have been violated. If the Federal Trade Commission determines this to be the case it could prompt a larger investigation.
This may be the first major data breach of its kind for Uber, but it’s the latest in a growing list of privacy screwups. Uber riders may remember when the company unknowingly left social security numbers and other data exposed on the Internet.
Uber has plans to address customers in a statement informing them that they have not seen any “evidence of fraud or misuse” that can be tied to the hack. As the driver’s license numbers that were taken belong to Uber drivers, the company will also be supplying those compromised employees with free credit protection monitoring to protect against identity theft.