The troubled ride-hailing giant Uber admitted Tuesday it was the victim of a hack, revealing the private information of 57 million users — but instead of alerting people at the time, it paid the hackers to keep quiet.
Uber announced Tuesday evening that in 2016 a group of hackers made off with the personal information of 57 million users worldwide — including names, email addresses, and phone numbers. The hack affected 50 million users and 7 million drivers, and also compromised the names and driver’s’ licenses of 600,000 Uber drivers.
Uber’s chief security officer at the time, Joe Sullivan, covered up the intrusion and paid the hackers $100,000 to keep quiet about the matter and delete the info, according to Bloomberg. Sullivan, a one-time federal prosecutor, joined Uber from Facebook in 2015. Both Sullivan and a deputy of his have been fired.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” newly-installed CEO Dara Khosrowshahi said in a blog post revealing the hack. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
New measures to restructure Uber’s security operation include hiring Matt Olsen, a former director of the National Counterterrorism Center, as an adviser to the company. Uber also says it is working with regulators, and says it has retained the services of the cybersecurity company Mandiant, which assisted Sony Entertainment in 2014 after the Hollywood studio’s hacked emails were leaked onto the internet.
Both the scale of this hack and the type of information accessed are much less significant than other recent, notable hacks, particularly those of Yahoo or Equifax. But Uber has a notoriously spotty track record with user privacy.
At the same time that Uber executives were covering up the 2016 hack, the company was working out a settlement, made public in August 2017, with the Federal Trade Commission for its “deceptive”claims about user privacy. As part of the deal, Uber agreed to 20 years of regular user privacy audits. In early 2016, the company paid out a $20,000 settlement for privacy violations for a suit brought by New York State Attorney General Eric Schneiderman.
And for years, Uber has dealt with scandals related to its employees inappropriately accessing information about where its users travel. This includes tracking customers’ movements on a big display at a party, a practice which one former employee alleged was once commonplace at the company.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in the Tuesday evening blog post on the 2016 data breach. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”