Uber paid $100,000 to hackers to keep breach under wraps

30 Nov 2017

Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc in a massive breach that the company hushed up for over a year. But the ride-hailing firm, this week let go of the chief security officer and one of his deputies for their roles in keeping the hack under wraps, including a $100,000 payment to the attackers.

The company told Bloomberg on Tuesday that compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world.

The personal information of about 7 million drivers was also accessed, including some 600,000 US drivers' license numbers. According to Uber, no Social Security numbers, credit card information, trip location details or other data were taken.

At the time of the incident, Uber was engaged in negotiations with US regulators over separate claims of privacy violations. The company now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken.

But the company paid hackers to delete the data and hush up the incident. While Uber maintains the information was never used, it declined to disclose the identities of the attackers.

''None of this should have happened, and I will not make excuses for it,'' Dara Khosrowshahi, who took over as chief executive officer in September, said in an emailed statement. ''We are changing the way we do business.''

Data compromised in the breach included users' names, email addresses and mobile numbers as also US drivers' license numbers. However, the breach did not affect trip history, dates of birth, social security numbers, credit card and bank details according to the ride-hailing giant.

"We have seen no evidence of fraud or misuse tied to the incident," Uber said. "We are monitoring the affected accounts and have flagged them for additional fraud protection."