Uber faced a massive data breach in 2016 which affected over 57 million customers including riders and drivers. A new report from Bloomberg has surfaced which reveals that the data breach exposed customer's name, email address and phone numbers of 50 million customers. The breach also exposed the driver's licenses and other information for roughly 7 million drivers for the company, including 600,000 in the US.
Uber CEO Dara Khosrowshahi told Bloomberg via email that while he “will not make excuses” for the incident, he also believes that “none of this should have happened.” Khosrowshahi also said that Uber did shut down the attack vector and increased its security measures following the attack, but that it failed in its duty to report.
Bloomberg report states that instead of reporting the incident to regulators or affected customers, Uber paid $100,000 to hackers to get rid of the data to keep the breach under wraps. It further states that no security numbers or trip location information was taken in the attack and that it doesn’t believe the info that was leaked was ever used, though it doesn’t specify who was responsible.
The breach apparently occurred because attackers managed to gain login credentials for an Uber Amazon Web Services account using a private GitHub site maintained by Uber engineers.
Khosrowshahi said he launched an investigation into why the company did not alert authorities or individuals affected by the hack. He said, "two of the individuals who led the response to this incident are no longer with the company." Khosrowshahi said the company is now notifying regulatory authorities.
Jason Hart, VP, and CTO for data protection, Gemalto says, "The goal should not be to hide these breaches or even prevent them. It should be to make them secure by taking a more intelligent, data-centric approach to security, which means knowing where your valuable data resides."
Meanwhile, Khosrowshahi said in a blog post that the company has laid out plans for how the company will address the fallout of the incident.