Uber Pays Hackers $100k to Hush Up Massive Data Breach

When Uber was run by Travis Kalanick, its first CEO and founder, it often resembled a criminal enterprise. It violated laws, spied on its customers, lied to investigators, played tricks on its competitor, and is being sued for stealing a competitor’s trade secrets. Only after one of its female employees, Susan Fowler, went public with how she and others were harassed and discriminated against was Kalanick replaced as CEO.

But replacing the CEO did not end the embarrassment. It was just disclosed by Bloomberg that hackers stole the personal data of 57 million customers and drivers from its company servers. Now, that’s bad enough, but the company covered it up for more than a year by paying the hackers $100,000 to hush things up.

The data stolen included the names, email addresses, and phone numbers of 50 million Uber passengers and 7 million drivers, as well as 600,000 U.S. driver’s license numbers. It occurred more than a year ago in October 2016 and had been concealed until Bloomberg just revealed it.

Here’s how the hack occurred: The attackers accessed a coding site used by Uber software engineers and then stole their login credentials to access data stored on its servers run by Amazon Web Services. That’s where the hackers discovered the rider and driver data, and contacted Uber, asking for the $100,000 in order to not release the data.

Uber is obliged by law, and by previous agreements it entered into with law enforcement and government agencies, to disclose as soon as it learns of any data being compromised. But instead, the company covered it up.

Kalanick learned of the breach in November 2016 but, with his chief of security, made the secret $100,000 payment and hid it from law enforcement and the rest of the company.

Their new CEO, Dara Khosrowshahi, who joined a few months ago, explained, “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals….We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

He then terminated Joe Sullivan, Uber’s security chief, and his assistant for their role in this incident.

What about Kalanick, who was also complicit? He remains as a board member and recently appointed two new members to serve with him.