Uber Paid Hackers to Delete the Stolen Data of 57 Million People

In the midst of Uber Technologies’ corporate restructuring and cultivation of a squeaky-clean new image, the ride-hailing company was apparently hiding a dark secret. Striving for transparency, the company has now confessed that hackers stole the personal information of 57 million customers and drivers in October of 2016.

The coverup, apparently conducted by the firm’s chief security officer and another staff member, involved over $100,000 in payments to the hackers in the hopes to keep them quiet. The data lost included names, email addresses, and phone numbers of around 50 million Uber riders across the globe. Another 7 million drivers were also subjected to the digital attack, with over half a million of those losing their driver’s license numbers.

In an interview with Bloomberg, Uber claims that no Social Security numbers or credit card information was lost during the original incident. But it also confessed that it ignored its legal obligation to come forward about the nature of the attack and shouldn’t have paid hackers to delete the stolen data and keep the event secret.

“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, Uber’s chief executive officer since September, said in a statement. “We are changing the way we do business.”

While large companies losing customer data to digital criminals is nothing new, Uber going so far out of its way to ensure a coverup is alarming. Travis Kalanick, Uber’s co-founder and former CEO, appears to have learned of the hack in November 2016, one month after it took place. At the time, Uber had only just settled a lawsuit with the New York attorney general over data security disclosures, and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data.

Joe Sullivan, the outgoing security chief, headed the response to the hack last year, according to a company spokesperson. The company’s board has been particularly interested in Sullivan’s decisions since 2015 and had hired a law firm to conduct an investigation into his doings earlier this fall. According to the company, that investigation is what uncovered the hacking and subsequent coverup.

From Bloomberg:

Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

A patchwork of state and federal laws require companies to alert people and government agencies when sensitive data breaches occur. Uber said it was obligated to report the hack of driver’s license information and failed to do so.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

After Uber’s confession, New York Attorney General Eric Schneiderman launched a secondary investigation into the hack. Meanwhile, U.K. regulators, including the National Crime Agency, are launching probes of their own. The company is also being sued for negligence over the breach by consumers seeking class-action status.

Khosrowshahi maintains that Uber is still on its mission of self-improvement. Under the previous CEO, the business became infamous for ignoring regulatory mandates and promoting a highly aggressive corporate culture that thrived on competitiveness. The current leadership says those days are over and wants to remove all the old skeletons from the company closet.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.