Uber Hack Exposes Data of 57m Users and Drivers
Uber has admitted to covering up a breach that could have potentially exposed the personal data of around 57m customers and drivers.
Details of the breach have only just been released, with the hack allegedly occurring in October 2016. According to the company, hackers gained access to millions of customer names, email addresses and phone numbers, alongside the license numbers for around 600,000 US drivers. However, the company claims that more sensitive data, such as credit card numbers, bank details and location information, was not compromised.
Rather than notify regulators and customers, Uber chose to pay the hackers $100,000 to delete the data affected and keep quiet about the breach. The company then concealed details of the hack for over a year, until Bloomberg finally broke the news to the public earlier this month.
The breach occurred when hackers gained the login details of data stored on Uber’s unencrypted Amazon Web Services account, providing easy access to millions of lines of sensitive data. The fact that the data was unencrypted was “unforgivable” and “amateur”, web security experts say.
Employees directly responsible for the cover up have now been fired, and an internal investigation is allegedly underway. In a statement acknowledging the hack, current Uber CEO Dara Khosrowshahi said: “None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
Lawyers say that as Uber did not immediately notify regulators, they are now legally responsible for the breach. Consequently Uber now faces legal action in a number of US states, with the California and New York attorney generals both opening investigations into the company.
The hack is only the latest in what has been an eventful year for Uber, which has seen the company legally obliged to stop operating in Italy, Denmark, and London, lose an employment tribunal, and undergo an investigation into internal working practices.