Hackers Stole Data From 57 Million Uber Drivers and Customers, Uber Paid $100K to Hide Attack

Tuesday November 21, 2017 2:42 pm PST by Juli Clover
Uber suffered a massive data breach last year that exposed the personal data of 57 million customers and drivers, reports Bloomberg. The attack occurred in October of 2016 and included personal information from 50 million Uber riders and 7 million Uber drivers.

Two hackers reportedly accessed a private GitHub repository used by Uber's software engineers and then used those credentials to breach an Amazon Web Services account that contained an archive of rider and driver information.

Email addresses and phone numbers were stolen from riders, while hackers were able to obtain email addresses, phone numbers, and driver's license numbers from drivers. Uber says social security numbers and trip location data were not accessed in the attack.

Rather than disclosing the attack when Uber learned of it in November of 2016, the company instead paid hackers $100,000 to delete the data and keep quiet about the breach. Uber did not disclose the identity of the hackers, but did say it believes the information was not used or otherwise sold.

Uber's new CEO, Dara Khosrowshahi, says the attack and the coverup should not have happened, and that Uber is "changing the way we do business." Khosrowshahi says he is aiming to change the way Uber operates, and as part of that effort, Uber informed the FTC and attorney general about the attack this morning.
"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," Khosrowshahi said. "We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."
Uber's efforts to conceal the hack were led by chief security officer Joe Sullivan, who has been ousted from the company. Uber also let go of Craig Clark, a senior lawyer who worked with Sullivan.

In light of the attack, Uber has hired Matt Olsen, who previously served as general counsel at the National Security Agency. Uber says Olsen will help the company restructure its security teams.

Tag: Uber
[ 144 comments ]

Top Rated Comments

(View all)

Avatar
Solomani
26 months ago
This is very up-Lyfting news!
Rating: 54 Votes
Avatar
scottcampbell
26 months ago

All the hackers got were names and email addresses (of riders). Big deal.

What's your name and email address?
Rating: 40 Votes
Avatar
Mansu944
26 months ago
I am deleting my account right now...
Rating: 20 Votes
Avatar
dannyyankou
26 months ago

All the hackers got were names and email addresses (of riders). Big deal.

Sure, but you're not going to defend Uber paying the hackers $100k to hide it are you? It's as shady as it gets. If they were upfront and honest about the hack I might have forgiven them.
Rating: 18 Votes
Avatar
nabeel24
26 months ago
How shady is this company...
Rating: 15 Votes
Avatar
just.jon
26 months ago
Uber needs to go, now. The Justice Department needs to be looking hard at them for a handful of reasons.
Rating: 12 Votes
Avatar
Doctor Q
26 months ago
Can you trust hackers not to use (i.e, sell) the data they stole, even if you pay them? If they take your data, take your money, AND use the data, should you take them to court or offer them more money?

Note to self: Perhaps it's not a great idea to store your internal passwords in your GitHub account.
Rating: 11 Votes
Avatar
CerebralX
26 months ago
Uber is just not a nice company.
Rating: 10 Votes
Avatar
Watabou
26 months ago

Uber's efforts to conceal the hack were led by chief security officer Joe Sullivan, who has been ousted from the company. Uber also let go of Craig Clark, a senior lawyer who worked with Sullivan.


The blame doesn’t just lie with those two. How did the rest of Uber’s upper management not notice why they paid $100K?
Rating: 9 Votes
Avatar
69Mustang
26 months ago
[whole bunch of expletives] Uber!
Rating: 8 Votes

[ Read All Comments ]