San Francisco, California, USA: Ride-hailing company, Uber, said Tuesday that hackers stole personal data from some 57 million riders and drivers of the ride-sharing service in a 2016 incident. When it found out, Uber then paid the hackers US$100,000 to destroy the data, not telling riders or drivers whose information had been stolen and put at risk.
“None of this should have happened, and I will not make excuses for it,” chief executive Dara Khosrowshahi said in a statement.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.”
Two members of the Uber information security team who “led the response” that included not alerting users that their data was breached were let go from the San Francisco-based company effective Tuesday, according to Khosrowshahi.
The Uber chief said he only recently learned that outsiders had broken into a cloud-based server used by the company or data and downloaded a “significant” amount of information.
Uber is a widely popular car-hailing app that offers its service in 633 cities worldwide and is used by over 40 million unique riders each month.
Stolen files included names, email addresses, and mobile phone numbers for riders, and the names and driver license information of some 600,000 drivers, according to Uber.
Co-founder and ousted chief Travis Kalanick was advised of the breach shortly after it was discovered, but it was not made public until Uber’s new boss Khosrowshahi found out.
“You may be asking why we are just talking about this now, a year later,” Khosrowshahi said.
“I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.”
He said that what he learned about Uber’s failure to notify users or regulators has prompted corrective actions.
The hackers found 57 million names, email addresses and mobile phone numbers, Uber said.
After asking for an investigation, Uber discovered that instead of notifying regulators and the affected individuals it had “identified the individuals and obtained assurances that the downloaded data had been destroyed,” he wrote.
In response, the NYS Attorney General has said he will definitely investigate the hack.