Uber: No evidence hackers took rider credit card numbers (Update)

December 13, 2017

An outside cyber security firm hired by Uber after a massive data theft found no evidence that rider credit card, bank account or Social Security numbers were downloaded by two hackers, the company said in a response to demands for information from U.S. senators.

But the ride-hailing company disclosed that in some cases, the hackers got location information from the place where people signed up for Uber, as well as heavily encoded versions of user passwords.

On Nov. 21, Uber disclosed that names, email addresses and mobile-phone numbers of 57 million drivers and riders had been stolen. In a letter to four Republican senators led by Commerce committee Chairman John Thune of South Dakota, the company says that Mandiant, the security firm, found 32 million of those are outside the U.S. and 25 million are inside. Of the total, 7.7 million are drivers, mostly in the U.S., and hackers got driver's license numbers for 600,000 of them, according to the letter from new Uber CEO Dara Khosrowshahi.

The ride-hailing company also said it has not seen evidence of fraud or misuse of data taken in the breach, which lasted more than a year before being disclosed. Two employees were fired for not disclosing the theft to "appropriate parties," the letter said.

The hackers emailed Uber's U.S. security team anonymously on Nov. 14, 2016 telling them about the breach and demanding a payment. Uber tracked down the breach in private cloud data stored on Amazon's web services and shut down access, which came through a "compromised credential," the letter said.

The security team agreed to pay $100,000 to the hackers for an agreement to delete the data, and later tracked down the hackers' real names. Both signed documents assuring that the stolen data was destroyed, Khosrowshahi wrote. Team members found that the hackers first gained access on Oct. 13, 2016, and there was no further access after Nov. 15, 2016, the letter said.

Uber notified the U.S. Attorney's offices in San Francisco and Manhattan, as well as other government agencies, on Nov. 21 of this year, but it's not clear whether any criminal investigation has been started. Neither office confirmed nor denied an investigation.

Uber installed additional protections to stop hackers, including a two-step authentication for one of the services that was hacked, the letter said.

Explore further: Uber in legal crosshairs over hack cover-up

Related Stories

Uber in legal crosshairs over hack cover-up

November 22, 2017

Two US states on Wednesday confirmed they are investigating Uber's cover-up of a hack at the ride-sharing giant that compromised the personal information of 57 million users and drivers.

Should Uber users be worried about data hack?

November 22, 2017

The theft of the personal data of 57 million Uber riders and drivers highlights how vulnerable we make ourselves when we install apps on our mobile phones and tablet computers.

Washington state sues Uber over data breach cover-up

November 28, 2017

Washington state is suing the ride-hailing company Uber, saying it broke state law when it failed to notify more than 10,000 drivers in the state that their personal information was accessed as part of a major data breach.

Explainer: What the Uber data breach is all about

November 23, 2017

When Uber paid a $100,000 ransom so that hackers who broke into its data warehouse would destroy the personal information they stole, it allowed the ride-sharing company to keep a massive breach of 57 million user and driver ...

Recommended for you

Researchers find tweeting in cities lower than expected

February 20, 2018

Studying data from Twitter, University of Illinois researchers found that less people tweet per capita from larger cities than in smaller ones, indicating an unexpected trend that has implications in understanding urban pace ...

Augmented reality takes 3-D printing to next level

February 20, 2018

Cornell researchers are taking 3-D printing and 3-D modeling to a new level by using augmented reality (AR) to allow designers to design in physical space while a robotic arm rapidly prints the work.

What do you get when you cross an airplane with a submarine?

February 15, 2018

Researchers from North Carolina State University have developed the first unmanned, fixed-wing aircraft that is capable of traveling both through the air and under the water – transitioning repeatedly between sky and sea. ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.