Hackers stole the personal data of 57 million Uber riders in 2016, and the company paid the cybercriminals $100,000 to keep the data breach under wraps, according to a blog post published by Uber and a story by Bloomberg.
“Two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” Uber’s CEO Dara Khosrowshahi wrote in the blog. “None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Read more: The Motherboard Guide To Not Getting Hacked
The data stolen by the hackers included names and driver’s licenses of around 600,000 drivers in the US, and personal information of 57 million users worldwide. According to Bloomberg, the data was reportedly stored in an Amazon Web Services account, which the hackers were able to access after retrieving login credentials from a private GitHub used by Uber engineers.
As fallout from the breach, this week Uber has fired its chief security officer, Joel Sullivan, Bloomberg reported.
In addition to being yet another public relations nightmare for Uber, the way the company handled the breach might be in violation of data breach disclosure laws, and might prompt an investigation from the Federal Trade Commission. This is the latest incident impacting Uber’s drivers and riders privacy and data. While Uber hasn’t suffered a major data breach like this one, the company has had some significant screwups such as mistakenly leaving drivers’ licenses and social security numbers exposed online.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.