Hackers stole 57 million data from Uber riders

Uber admitted Tuesday that hackers stole personal data belonging to 57 million customers and drivers — a fact it concealed for more than a year.
The attack, which took place in October 2016, resulted in the worldwide theft of names, email addresses and phone numbers belonging to 50 million Uber riders, according to Bloomberg, which first reported the hack.

Uber disclosed that hackers had stolen 57 million driver and rider accounts and that the company had kept the data breach secret for more than a year after paying a $100,000 ransom.

The deal was arranged by the company’s chief security officer and under the watch of the former chief executive, Travis Kalanick, according to several current and former employees who spoke on the condition of anonymity because the details were private.

The security officer, Joe Sullivan, has been fired. Mr. Kalanick was forced out in June, although he remains on Uber’s board.
Uber was required to alert regulators and drivers whose driver’s license numbers were compromised by the hack. Instead, Uber paid the hackers $100,000 to erase the stolen data and keep word of the breach hidden, according to Bloomberg.

To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.

The details of the attack remained hidden until Tuesday. The ride-hailing company said it had discovered the breach as part of a board investigation into Uber’s business practices.

The hackers reportedly stole passwords belonging to Uber engineers from a private GitHub coding site. They used those credentials to then access company data stored on Amazon Web Services. They then contacted Uber, demanding money. Uber obliged.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” said Khosrowshahi, who has been tasked with rectifying Uber’s image and business practices after replacing the company’s controversial founder, Travis Kalanick, as head of the company in August.

The breach at Uber is far from the most serious exposure of sensitive customer information. The two breaches that Yahoo announced in 2016 eclipse Uber’s in size, and an attack disclosed in September by Equifax, the consumer credit reporting agency, exposed a far deeper trove of personal information for a far larger group of people.