Uber has done it again! From accusations of bullying, sexual harassment and discrimination, Uber has been attracting the publicity for the wrong reason. And now, they have added another feather to the cap. A staggering 57 million of its users and drivers’ data were compromised, but instead of report the hacking to the authorities, Uber had chosen to hide it.
The massive breach was concealed by the ride-hailing company for more than a year. On Tuesday, Uber finally revealed that the compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world. The personal information of about 7 million drivers, including some 600,000 U.S. driver’s license numbers can be found here.
However, Uber claimed that no Social Security numbers, credit card information, trip location details or other data were compromised. The scandal-hit company is notifying the drivers whose driver’s license numbers had been stolen and to make up for the screw-up, affected drivers are offered free credit monitoring and identify theft protection.
While Uber had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken, it didn’t. Instead the company paid hackers – US$100,000 – to delete the data and keep the breach quiet – until today. CEO Dara Khosrowshahi said – “None of this should have happened, and I will not make excuses for it. We are changing the way we do business.”
Khosrowshahi wasn’t with Uber when the hacking and cover-up takes place. He only took over as CEO in September. The San-Francisco-based company has since fired Chief Security Officer Joe Sullivan – previously security boss at Facebook and a former federal prosecutor – for his despicable role in hiding the data breach. Craig Clark, a senior lawyer who reported to Sullivan, was also sacked.
Former CEO Travis Kalanick apparently knew about the 2016 hack. The cover-up was well preserved until the board commissioned an investigation into the activities of Sullivan’s security team. After Uber’s disclosure Tuesday, New York Attorney General Eric Schneiderman immediately launched an investigation into the hack.
Here’s how the hack occurred more than a year ago – 2 hackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. They discovered an archive of rider and driver information and downloaded the data.
According to the company statement, the 2 hackers later emailed Uber asking for money. It appears that the CEO at the time – Travis Kalanick – knew not only about the cyber-attack but could have had given his approval to pay the hackers so that it could be kept secret. He was ousted as CEO in June under pressure from investors, who said he put the company at legal risk.
But this is not the first case where Uber has broken the law since its founding in 2009. The U.S. authorities have opened at least 5 criminal probes into possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property against the company, not to mention dozens of other civil suits.
In January 2016, the New York attorney general fined Uber US$20,000 for failing to promptly disclose an earlier data breach in 2014. Even while the company was negotiating with the FTC on a privacy settlement, they were actually busy haggling at the same time with the hackers on the US$100,000 payment in exchange to keep it quiet.
Uber’s new CEO Khosrowshahi said – “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.” According to Bloomberg, the company plans to release a statement to customers saying it has seen “no evidence of fraud or misuse tied to the incident.”
The assurance from Khosrowshahi might have come a bit too late though. Japanese investor Softbank is reportedly toying with the idea of merging Uber with Grab in Southeast Asia, including China’s DiDi Chuxing and India’s Ola. Softbank’s founder Masayoshi Son has stakes in all the ride-hailing companies and is considering consolidation to optimize his investment.
At US$68 billion, Uber is the most highly valued venture-backed company in the world. But at the same time, it’s bleeding profusely – a loss of US$645 million in the second quarter this year. Uber might agree to be acquired by Grab as the former sells off its Southeast Asian operations in Malaysia, Singapore, Thailand, Philippines and Vietnam.