Security

Uber: Hackers stole 57m passengers, drivers' info. We also bribed the thieves $100k to STFU

And it happened a year ago, hoped you wouldn't find out

By Richard Chirgwin

113 SHARE

Uber's CEO Dara Khosrowshahi today revealed hackers broke into the ride-hailing app's databases and stole personal information on 57 million passengers and drivers – information including names, email addresses, and phone numbers.

And the cyber-thieves made off with 600,000 US driver records that included their license numbers.

And the hack happened in 2016 – yet, biz executives hushed up the break-in rather than alert the public.

In a statement on Tuesday, Khosrowshahi said the intruders accessed cloud-hosted data stores:

I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.

At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.

You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.

"Obtained assurances" is a funny way of putting it.

No doubt this is what the chief exec discovered from that probe of his: in October 2016, two miscreants snatched from the app biz's GitHub code repo the keys needed to access its AWS S3 data stores containing the aforementioned personal information, Bloomberg reports. The hackers then demanded $100,000 from Uber in exchange for their silence and to destroy all their swiped copies of the records.

Rather than warn state and federal authorities of the personal data theft, as is required by the California upstart, Uber's chief of information security Joe Sullivan ordered that the crooks be paid off, the stolen files erased, and the whole thing hushed up, leaving riders and drivers none the wiser. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed.

Sullivan, previously a federal prosecutor, and one of his lieutenants were ousted from the company as a result of the new CEO's investigation, we're told. Khosrowshahi, who was installed at the San Francisco-based upstart over the summer, said steps have now been taken to ensure this kind of coverup is never repeated, and that security breaches will be disclosed in public in future as required:

While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.

The top boss was adamant that “outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.” He added that the company was monitoring the affected accounts, and has flagged them for “additional fraud protection.” Anyone affected by the hack will be notified, he said.

It's worth pointing out that while the company is now alerting the authorities, California's data security breach notification law requires disclosure in “the most expedient time possible and without unreasonable delay.” Ie, not 12 months later.

As well as trouble potentially brewing in Cali over the hush up, New York Attorney General Eric Schneiderman has also launched an investigation into Uber's cockup – by our reckoning, perhaps only the fifth worst thing the controversial bad-boy biz has done over the past year. ®

Sign up to our NewsletterGet IT in your inbox daily

113 Comments

More from The Register

Silicon Valley CEO admits $1.5m wire fraud: Bouxtie boss forged signatures to investors

When I said I have $2m in the bank...

Intel co-founder's Silicon Valley pad goes on the market for $22m

Includes vineyard, a separate guest house and Chipzilla history

Newsflash! Faking it until you make it is illegal in Silicon Valley: Biz boss pleads guilty

Startup CEO admits he lied about education, wealth

Silicon Valley IT biz boss cops to lying about Cisco H-1B jobs

Consulting firm fibbed about hirings to import more workers

Why software engineers should ditch Silicon Valley for Austin

And it has nothing to do with South by Southwest

Sili-spurned Valley! No way, San Jose! Amazon snubs SF Bay Area in search for HQ2 city

Bezos narrows down search for new base to 20 cities, mostly on East Coast

Infamous Silicon Valley 'sex party' exactly as exciting as it sounds

Comment Maybe they should have shoved in some AI love-bots to spice things up

Top Silicon Valley tech judge hits alt-F4 under cloud of sex-pest claims

Kozinski walks out, blames his 'broad sense of humor' for downfall

AI, AI, sir: British Army chiefs visit Silicon Valley hypelords

Comment Nice. But what about the UK firms MoD's spending £800m on?

Uber's revolting sexism, the movie

Susan Fowler's story pitched as 'Erin Brockovich meets The Social Network'