The massive data breach concerning the personal information of 57 million Uber customers and drivers worldwide should have been old news by now, considering it happened back in 2016. The reason you’re only hearing about it today is because the company has done a bang-up job keeping everything a secret for over a year. This includes paying the hackers $100,000 to keep quiet and delete the stolen data.
Uber Technologies Inc. has recently come under fire for concealing this cyberattack and is being sued for negligence by a customer seeking class-action status. The company is accused of failing “to implement and maintain reasonable security procedures and practices,” as stated in the complaint filed yesterday (November 21) in federal court in Los Angeles, California.
The lawsuit against Uber aims to represent all of the company’s U.S. customers and drivers whose personal information was compromised following the cyberattack.
The Uber massive data breach occurred in October 2016, Bloomberg reports, and targeted the personal information of 50 million customers and seven million drivers from all over the world. The stolen data included customer names, email addresses, and mobile phone numbers, the company announced, as well as names and driver’s license numbers belonging to nearly 600,000 Uber drivers in the U.S.
According to the company, the data downloaded by the hackers didn’t include information regarding trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth.
Uber says the compromised data was “stored on a third-party cloud-based service” employed by the company, and mentions the breach didn’t affect Uber corporate systems or infrastructure. The cyberattack was engineered by two hackers, whom the company has later identified but whose names Uber refuses to make public.
The company concedes to the hack cover-up, of which it admittedly was aware since November 2016, and says it “was wrong” to withhold the incident from the targeted drivers at the time it occurred. However, Uber reassures its drivers that the company has taken “steps to contain and prevent harm.” These measures include free credit monitoring and identity theft protection for the drivers whose accounts were hacked into.
Uber CEO Dara Khosrowshahi announced the company has fired two individuals responsible for the poor management of this incident.
“None of this should have happened, and I will not make excuses for it.”
The two people Uber holds accountable for the inadequate way in which the cyberattack was handled — and who subsequently got sacked for the hack cover-up — are security chief Joe Sullivan and Craig Clark, a senior lawyer who reported to Sullivan, Bloomberg notes. The news outlet points out former Uber CEO Travis Kalanick, whom Khosrowshahi replaced in September, also knew about the cyberattack.
Instead of reporting the attack to regulators and notifying the drivers whose license numbers were downloaded, the taskforce leading the response to last year’s incident paid off the hackers to destroy the stolen data and keep the breach under wraps, Bloomberg disclosed.
The two hackers reportedly received a payment of $100,000 to delete the downloaded data. Uber is confident the stolen information was never used, and reports “no evidence of fraud or misuse tied to the incident.”
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi wrote in a communiqué posted yesterday in the Uber newsroom.
“We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts,” she added.
In addition to the negligence lawsuit filed by the Uber customer, New York Attorney General Eric Schneiderman also launched an investigation into the hack following the company’s disclosure on Tuesday, confirms TechCrunch.
[Featured Image by Alesia Kan/Shutterstock]