This week Uber fired its chief security officer and one of his deputies. The reason? They had concealed a massive security breach for more than one year. And that’s not all: in order to convince the hackers to delete the information on 57 million people, the security officers paid the hackers $100,000.
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.
Dara Khosrowshahi, who became the company’s CEO back in September, has published a long statement at Uber’s website explaining “that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.”
Uber’s outside forensics experts “have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” he continued. “However, the individuals were able to download files containing a significant amount of other information.”
That information includes names, email addresses, and mobile phone numbers of 57 million Uber customers around the world, and the names and driver’s license numbers of 600,000 drivers in the United States.
According to Khosrowshahi, Uber made sure that the hackers deleted the downloaded data when the company cut the deal with them. Additionally, Uber “also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
In order to make sure that the hackers don’t renege on the deal, Uber is “monitoring the affected accounts and have flagged them for additional fraud protection.” The company is also providing the 600,000 American drivers “with free credit monitoring and identity theft protection.” Finally, Khosrowshahi is working with former NSA general counsel Matt Olsen to help him “think through how best to guide and structure our security teams and processes going forward.” As part of those security reforms, Uber’s chief security officer and his deputy were let go.