Another day, another massive data breach. This time around, Uber was the target, but unlike other hacks, it took the company more than a year to disclose the hack to its customers.
According to a blog post from Uber, hackers managed to steal the personal data of a whopping 57 million Uber users in a data breach. Among those compromised, according to a Bloomberg report, were 7 million drivers, of which around 600,000 had their drivers license numbers stolen. Uber says that the information did not include things like Social Security numbers or credit cards.
Uber didn’t keep the hack under wraps because it didn’t know about it, however. The Bloomberg report notes that former Uber CEO and co-founder Travis Kalanick was alerted to the breach in November 2016, only a month after the hack took place. An additional report from the Wall Street Journal further revealed that Uber’s new CEO Dara Khosrowshahi was alerted to the breach in early September, two weeks after he officially stepped in as the head of the company. Once he learned of the hack, he is said to have “immediately ordered an investigation, which he wanted to complete before making the matter public.”
So what was Uber doing in the year between the hack and the present day? Well, the Bloomberg report notes that instead of reporting the breach to investigators, which it was legally obliged to do, it contacted the hackers and paid them a whopping $100,000 to delete the data and keep quiet about it all. At the time of the hack, Uber was already negotiating with investigators for separate privacy violation claims — and it still failed to report the hack.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” said Khosrowshahi, who took over in September, in the blog post. “We are changing the way we do business.”
Despite concealing the hack for a year, it does seem as though Uber is telling the truth in saying that it’s “changing the way it does business.” Bloomberg reports that the company ousted Joe Sullivan, its chief security officer , and one of Sullivan’s deputies for their roles in covering up the data breach, which is at least a first step in changing its ways. The Uber blog mentioned that “two of the individuals that led the response to this incident are no longer with the company.”
This is not the first massive data breach of the year. Earlier in 2017, credit reporting agency Equifax was breached, potentially putting at risk the information of a whopping 143 million U.S. residents. The hack itself took place sometime between May and July, but was disclosed in September.
Update: New Uber executive Dara Khosrowshahi learned of the breach in September.