The ride-sharing behemoth covered up a hack that hit 57 million users for more than a year, according to a new report from Bloomberg.
Uber released a statement on the 2016 attack, and also published resources for riders and drivers. The company said more sensitive information, such as location data, credit card numbers, bank account numbers, social security numbers, and birth dates, had not been compromised. Bloomberg news reported that the company paid the hackers $100,000 to delete the data and keep the breach quiet. Additionally, the info of 7 million drivers was exposed, including 600,000 driver's license numbers.
According to Bloomberg, the breach began when attackers accessed Github.com, a website used by software engineers, and obtained login credentials there for information stored on an Amazon Web Services account controlled by Uber.
According to the statement, the hack was performed by two people on a third-party cloud service. Uber said it is notifying regulatory authorities and offering free credit and identity theft monitoring for drivers.
"Later, they emailed Uber asking for money".
Uber disclosed the breach today despite having known about it since the incident occurred in October 2016.
The company's new CEO, Dara Khosrowshahi, said in a statement that he learned of the breach recently.
As he has in recent weeks, Khosrowshahi again took to apologizing for Uber's past issues and said he's working diligently to change how the company operates.
Bloomberg reports this week, Chief Security Officer Joe Sullivan and one of his deputies were booted from the company for their roles in keeping that hack a secret. "We are changing the way we do business".
Uber says that riders don't need to take any action and that it is monitoring the affected accounts for fraudulent activity. The company went on to state it has notified driver whose license numbers were stolen.
Uber took immediate steps at the time of the incident to secure the data and shut down further unauthorized access by the individuals. Uber's former chief legal officer Salle Yoo, who already announced her departure, was not aware of the matter.