In October 2016, hackers stole the personal data of 50 million riders and about 7 million drivers from Uber. Instead of reporting the breach, the company paid $100,000 to hackers to delete the data and keep quiet, in what became a yearlong cover-up.
The breach, made public in an explosive new report from Bloomberg, led this week to the ousting of Uber’s chief security officer, Joe Sullivan, and one of his deputies who worked to keep the attack quiet.
“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who took over as CEO in September, told Bloomberg in an emailed statement. “We are changing the way we do business.”
The security breach and cover-up is the latest skeleton to emerge from Uber’s very crowded closet. This year the company has faced multiple allegations of sexual harassment, a lawsuit over alleged theft of trade secrets from Alphabet’s self-driving car unit Waymo, and a lawsuit from shareholders against co-founder and former chief executive Travis Kalanick, who was ousted in a shareholder revolt over the summer.
According to Bloomberg, the compromised data included names, email addresses and phone numbers of 50 million Uber riders globally, as well as the personal information of about 7 million drivers and about 600,000 US driver’s license numbers. The company told Bloomberg that no Social Security numbers, credit card details, or trip location info was taken.
The hack reportedly occurred after two attackers gained login credentials by accessing a private GitHub coding site used by Uber software engineers, which eventually led them to an archive of rider and driver information stored on an Amazon Web Services account. The company told Bloomberg the hackers then emailed Uber asking for money.
Uber has a spotty record on data privacy. The company in 2015 disclosed a breach that it said affected 50,000 US drivers; it later upped that total to 100,000, and, earlier this year, settled with the Federal Trade Commission over “deceptive privacy and data security claims.” Before that, Uber had come under fire for “God View,” a tool that let Uber employees see the location and travel details of specific Uber users (something the company used to pull out as a party trick).
The company is already facing at least five criminal probes in the US into possible bribes, software used to evade law enforcement, questionable pricing methods, and theft of trade secrets.
Bloomberg reports that the October 2016 hack was uncovered as part of an investigation into the activities of Sullivan’s security team commissioned by Uber’s board. He reportedly oversaw a team formerly known as “Competitive Intelligence” that devised Uber’s “Hell” program to spy on Lyft drivers, as well as a “Strategic Services Group” that hired contractors to surveil competitors and vet potential hires.
Sullivan joined Uber as its first chief security officer in April 2015, “to help Uber redefine safety and data security,” Kalanick wrote in a blog post at the time. Sullivan had previously held the top security position at Facebook.
“I’m excited about Uber’s mission of revolutionizing transportation and, like Travis and the leadership team at Uber, firmly believe building world-class safety and security are critical to that mission,” Sullivan wrote in that same blog post. “This is a chance to help build the culture of a young and growing organization, and to continue building upon the safety and security initiatives that are the backbone of Uber’s success.”