When you have an image problem as bad as Uber’s, it’s hard to fall further. News that the company experienced a data breach in 2016 that affected 57 million users does the job, however.
Especially because the company purposefully failed to disclose the breach, and paid out $100,000 to its perpetrators disguised as a bug bounty to keep them quiet. There will be plenty of fallout yet to come from this.
Uber data breach from 2016 affected 57 million riders and drivers
Uber faced a data breach in 2016 that affected some 57 million customers, including both riders and drivers, revealing their names, email address and phone numbers. That affected group included 50 million riders and 7 million drivers; around 600,000 driver license numbers for U.S. drivers were also included in the breach, according to a new report from Bloomberg.
Uber did not report the incident to regulators or to affected customers, but instead paid $100,000 to “hackers” to get rid of the data in order to keep the breach under wraps, according to the report. It says further that no security numbers or trip location information was taken in the attack, and that it doesn’t believe the info that was leaked was ever used, though it doesn’t specify who was responsible.
New Uber CEO Dara Khosrowshahi told Bloomberg via email that while he “will not make excuses” for the incident, he also believes that “none of this should have happened.” Khosrowshahi, who joined the ride-hailing company in August after a search for a replacement CEO following co-founder Travis Kalanick’s departure, also said that Uber did shut down the attack vector and increased its security measures following the attack, but that it failed in its duty to report.
Bloomberg says that Kalanick was aware of the hack as early as November 2016, just a month after it occurred. Uber Chief Security Officer Joe Sullivan, and a key senior deputy to the CSO, have also been removed from the company this week, specifically for their roles in keeping the cyberattack secret.
The report says the attack occurred because attackers managed to gain login credentials for an Uber Amazon Web Services account using a private GitHub site maintained by Uber engineers.
In a blog post addressing the breach, Khosrowshahi laid out plans for how the company will address the fallout of the incident, including bringing on a former NSA general counsel to provide guidance to Uber’s security teams, and notifying drivers whose license numbers were included in the breach. Uber will not only notify the drivers, but also offer them credit monitoring and identity theft protection services, though the post also says they haven’t seen “evidence of fraud or misuse tied to the incident.”
We’ve reached out to Uber for additional comment, and will update if we receive a response.
Uber Hacked, User Data Compromised, Wallets At Risk?
In a recent revelation, Uber has announced that the personal information of its drivers and many of its users was hacked, releasing the private information of over 57 mln individuals to the attackers. The hackers were able to gain access to usernames, names, driver’s license numbers and mobile phone numbers.
The hack occurred in 2016, and the company has hidden the information from the public until now. Instead of reporting the incident, the company chose to pay the hackers $100,000 as ransom in exchange for deleting the data and remaining quiet about the hack. According to a statement by the company:
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures.”
Mobile wallet risks?
The main risk for cryptocurrency users is the mobile wallet applications. With access to names and phone numbers, hackers could potentially hijack the data on the phone or even reset the phone as a point of access for gaining access to mobile wallets. Recent victims include Chris Burniske, and others, who have had as much as $150,000 stolen.
While no immediate threat is known, Bitcoin holders are suggested to pay close attention to balances accessed on mobile wallets and wait to see if any potentially fraudulent activity is taking place. Further, users are always encouraged to store the majority of the cryptocurrency holdings in offline wallets