Uber reveals cover-up of hack affecting 57M riders, drivers

Image 1 of 2

Uber is coming clean about its cover-up of a year-old hacking attack that stole personal information about more than 57 million of the beleaguered ride-hailing service's customers and drivers.
The revelation Tuesday marks the latest stain on Uber's reputation.

The San Francisco company ousted Travis Kalanick as CEO in June after an internal investigation concluded he had built a culture that allowed female workers to be sexually harassed and encouraged employees to push legal limits.
Uber's current CEO, Dara Khosrowshahi, criticized the company's handling of the data theft in a blog post that said there's no evidence the stolen information has been misused.
The heist took the names, email addresses and phone numbers of 57 million riders. Just the right amount of information needed for phishing attacks, according to cyber security experts. 

The thieves also nabbed the driver's license numbers of 600,000 Uber drivers.  

"You're able to convince them based on the information you have about them that you could be a government agency, you could be a financial institution, you could be a merchant with whom they already have a relationship and that situation could put them in a place where they give away more information," said Founder and Chairman of Cyber Scout, Adam Levin. 

Adding insult to injury, cyber experts say the victims of this massive hack were reportedly robbed of their protection too.

According to Bloomberg, Uber paid the hackers $100,000 to delete the info and conceal the breach for more than a year.

"In an effort to protect shareholder value what they've done is expose drivers and consumers. It's almost like they drove customers and employees off a cliff," said Levin.

In a statement, Uber admits they discovered the hack late in 2016 saying "two individuals outside the company had inappropriately accessed user data stored on a third party cloud based service." 

The company's forensic experts say credit card, bank and social security numbers or birth dates have not been compromised.

Sarah Cook is a former Uber driver and customer who cut ties with the ride share company in January after its workplace culture deteriorated. 

"It just started to seem to me to be a little bit more politically and actively minded on the corporations I was investing in and I deleted the Uber app and started using Lyft and haven't looked back," said Cook. 

She knows she could still be at risk since the breach happened when she was using the service. 
Just like Mandi Sass of Burlingame, an avid rider who takes Uber to and from work daily.  

"It makes me really nervous as a consumer and I think that's bad business practice on their part," said Sass. 

Uber admits this never should have happened and says they are notifying affected drivers and offering them free credit monitoring services.

Despite that move, security experts say they have still exposed themselves to class action lawsuits because they didn't notify consumers in a timely manner. 

Read Uber CEO's full statement: 

"As Uber’s CEO, it’s my job to set our course for the future, which begins with building a company that every Uber employee, partner and customer can be proud of. For that to happen, we have to be honest and transparent as we work to repair our past mistakes.

I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.

Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded. However, the individuals were able to download files containing a significant amount of other information, including:

  • The names and driver’s license numbers of around 600,000 drivers in the United States. Drivers can learn more here.
  • Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers. Riders can learn more here.
  • At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.

You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions:

I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.

  • We are individually notifying the drivers whose driver’s license numbers were downloaded.
  • We are providing these drivers with free credit monitoring and identity theft protection.
  • We are notifying regulatory authorities.
  • While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.

None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."