Uber Technologies Inc. admitted Tuesday that hackers stole personal data belonging to 57 million customers and drivers — a fact it concealed for more than a year.
The attack, which took place in October 2016, resulted in the worldwide theft of names, email addresses and phone numbers belonging to 50 million Uber riders, according to Bloomberg, which first reported the hack.
Personal information for 7 million drivers across the world was also stolen, including 600,000 driver’s license numbers in the United States.
Uber was required to alert regulators and drivers whose driver’s license numbers were compromised by the hack. Instead, Uber paid the hackers $100,000 to erase the stolen data and keep word of the breach hidden, according to Bloomberg.
The New York attorney general’s office said Tuesday it was launching an investigation into the data breach.
Uber fired its chief of security, Joe Sullivan, and one of his deputies for keeping word of the attack hidden.
The ride-hailing giant’s recently installed chief executive, Dara Khosrowshahi, said in a blog post that he learned of the breach recently. He described it as an attack by two outside hackers that accessed the company’s data stored with a third-party cloud-based company.
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” Khosrowshahi said.
The hackers reportedly stole passwords belonging to Uber engineers from a private GitHub coding site. They used those credentials to then access company data stored on Amazon Web Services. They then contacted Uber, demanding money. Uber obliged.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” said Khosrowshahi, who has been tasked with rectifying Uber’s image and business practices after replacing the company’s controversial founder, Travis Kalanick, as head of the company in August.
The coverup marks one more black eye for a company that has long clashed with regulators and city leaders across the world as it introduced its disruptive ride-hailing business.
Under Kalanick, the company’s ethics were repeatedly called into question for violating customer privacy and concealing data from regulators. Earlier this month, London revoked Uber’s operating license.
It’s unclear what role Kalanick, who remains a member of Uber’s board, played in the aftermath of the hack. A spokesperson for Kalanick declined to comment.
It’s not unusual for companies to pay criminal hackers who have compromised their systems. Companies that fall victim to ransomware often pay a fee to restore their systems.
Businesses sometimes purchase data that hackers claim to have stolen in an attempt to determine if an alleged breach is genuine. Once deemed legitimate, experts say the company has an obligation to warn those affected.
“Uber has a responsibility to keep driver and passenger data safe. So they pay the hackers to reduce the chances of that data” being spread, said Guy Podjarny, CEO of Snyk, a security company that finds and fixes vulnerabilities in open source code. “The problem is not paying what’s almost a fine for not keeping their system secure. The problem is concealing it after the fact.”
Follow me @dhpierson on Twitter
5:25 p.m.: This article was updated with additional context about hacking.
This article was originally published at 4:15 p.m.