Uber reveals cover-up of hack affecting 57M riders, drivers (Update)

November 22, 2017 by Michael Liedtke
Uber reveals cover-up of hack affecting 57M riders, drivers
In this March 15, 2017, file photo, a sign marks a pick-up point for the Uber car service at LaGuardia Airport in New York. Uber is coming clean about its cover-up of a year-old hacking attack that stole personal information about more than 57 million of the beleaguered ride-hailing service's customers and drivers. The revelation Tuesday marks the latest stain on Uber's reputation. (AP Photo/Seth Wenig, File)

Uber is coming clean about its cover-up of a year-old hacking attack that stole personal information about more than 57 million of the beleaguered ride-hailing service's customers and drivers.

So far, there's no evidence that the data taken has been misused, according to a Tuesday blog post by Uber's recently hired CEO, Dara Khosrowshahi. Part of the reason nothing malicious has happened is because Uber acknowledges paying the hackers $100,000 to destroy the stolen information.

The revelation marks the latest stain on Uber's reputation. It also brought an investigation from New York's attorney general and threats of larger-than-normal fines from British authorities for failing to promptly disclose the hack.

The San Francisco company ousted Travis Kalanick as CEO in June after an internal investigation concluded he had built a culture that allowed female workers to be sexually harassed and encouraged employees to push legal limits.

It's also the latest major breach involving a prominent company that didn't notify the people that could be potentially harmed for months or even years after the break-in occurred.

Yahoo didn't make its first disclosure about hacks that hit 3 billion user accounts during 2013 and 2014 until September 2016. Credit reporting service Equifax waited several months before revealing this past September that hackers had carted off the Social Security numbers of 145 million Americans.

Khosrowshahi criticized Uber's handling of its data theft in his blog post.

"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Khosrowshahi wrote. "We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

That pledge shouldn't excuse Uber's previous regime for its egregious behavior, said Sam Curry, chief security officer for the computer security firm Cybereason.

"The truly scary thing here is that Uber paid a bribe, essentially a ransom to make this breach go away, and they acted as if they were above the law," Curry said. "Those people responsible for the integrity and confidentiality of the data in-fact covered it up."

The heist took the names, email addresses and mobile phone numbers of 57 million riders around the world. The thieves also nabbed the driver's license numbers of 600,000 Uber drivers in the U.S.

Uber waited until Tuesday to begin notifying the drivers with compromised driver's licenses, which can be particularly useful for perpetrating identify theft. For that reason, Uber will now pay for free credit-report monitoring and identity theft protection services for the affected drivers.

Kalanick, who still sits on Uber's board of directors, declined to comment on the data breach that took place in October 2016. Uber says the response to the hack was handled by its chief security officer, Joe Sullivan, a former federal prosecutor whom Kalanick lured away from Facebook in 2015.

As part of his effort to set things right, Khosrowshahi extracted Sullivan's resignation from Uber and also jettisoned Craig Clark, a lawyer who reported to Sullivan.

Clark didn't immediately respond to a request for comment sent through his LinkedIn profile. Efforts to reach Sullivan were unsuccessful.

On Wednesday, New York Attorney General Eric Schneiderman's office confirmed that it had opened an investigation into the data theft, but a spokeswoman wouldn't comment further. New York law requires that companies notify the attorney general and consumers if data is stolen.

In London, Britain's Deputy Information Commissioner James Dipple-Johnstone said Wednesday the company faces "higher fines" because it concealed the hack from the public.

The Information Commissioner's Office and the National Cyber Security Center are working to gauge the severity of the problem for British Uber users.

Uber's silence about its breach came while it was negotiating with the Federal Trade Commission about its handling of its riders' information.

Earlier in 2016, the company reached a settlement with the New York attorney general requiring it to take steps to be more vigilant about protecting the information that its app stores about its riders. As part of that settlement, Uber also paid a $20,000 fine for waiting to notify five months about another data breach that it discovered in September 2014.

Explore further: Uber CEO holds 'constructive' talks with London officials

Related Stories

Uber boss to meet London transport chief over ban

September 29, 2017

New Uber boss Dara Khosrowshahi will visit London on Tuesday to meet with the city's transport chiefs "to make things right" following their decision not to renew the firm's licence, the company said.

Uber in London court in employment case

September 27, 2017

Uber lawyers are in a London courtroom trying to overturn a ruling that its drivers are employees of the ride-hailing service—not independent contractors.

Recommended for you

The wet road to fast and stable batteries

December 14, 2017

An international team of scientists—including several researchers from the U.S. Department of Energy's (DOE) Argonne National Laboratory—has discovered an anode battery material with superfast charging and stable operation ...

US faces moment of truth on 'net neutrality'

December 14, 2017

The acrimonious battle over "net neutrality" in America comes to a head Thursday with a US agency set to vote to roll back rules enacted two years earlier aimed at preventing a "two-speed" internet.

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.