Ridesharing app Uber concealed for more than a year that hackers had stolen data from 57 million Uber drivers and customers, according to a report Tuesday.
Uber attributed the hack, which occurred in late 2016, to two individuals who accessed the data through a “third-party cloud-based service.” The company said its internal servers were not compromised.
The hackers stole the names and driver’s license numbers of roughly 600,000 Uber drivers, as well as the names, email addresses and phone numbers of some 57 million users. Uber says user credit card numbers, bank account numbers and social security numbers were not exposed and is providing free credit monitoring to impacted drivers.
“None of this should have happened, and I will not make excuses for it,” Uber CEO Dana Khosrowshahi said in a blog post. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Khosrowshahi said Uber has cut ties with two executives who led the company’s initial response to the breach. Bloomberg identified the ousted executives as Uber’s chief security officer Joe Sullivan and one of his deputies, adding that, under Sullivan’s watch, Uber paid the hackers $100,000 to delete the stolen data and never reported the breach to the authorities.
The blog post did not address the alleged payment. Khosrowshahi said Uber has retained Matt Olsen, the cybersecurity consultant and former general counsel of the National Security Agency, to assist in restructuring Uber’s response teams.
Uber previously drew scrutiny failing to properly disclose a data breach that occurred in 2014. The company agreed earlier this year to undergo 20 years of outside audits of its cybersecurity practices in response to that incident.