The technology and logistics company, Uber has been caught attempting to conceal an October 2016 data breach that exposed 57 million peoples’ personal information.
First reported by Bloomberg, the company paid 100,000 to two hackers after they stole the company’s customer data in exchange for their silence and the deletion of the stolen information.
“A big part of the shock and disappointment comes from the fact that Uber appears to have paid hush money to keep this under wraps,” said Kowsik Guruswamy, chief technology officer at Menlo Security to Financial Times.
Although the Federal Bureau doesn’t recommend that a company pay hackers in these types of case, it still has happened before.
“The most high-profile example was when Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin last year to hackers who seized control of the hospital’s computer systems,” writes Financial Times.
The personal information stolen included names, email addresses and phone numbers of both the Uber customers and the drivers. 600,000 U.S. drivers’ license plate numbers were also taken in the breach.
Unlike the recent massive Equifax cyber hack, no credit card information, along with customers’ trip histories were included in the breach.
When the company discovered the breach back in December of 2016, Uber decided to not notify regulators or the people comprised in the hack. On Tuesday, Uber finally acknowledged the breach.
Dara Khosrowshahi, who became Uber’s chief executive in September, said that once he heard about the breach, he ordered an investigation.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” said Khosrowshahi. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
However, these steps did not include alerting the individuals who were affected.
Khosrowshahi has also asked for Sullivan, Uber’s chief security officer’s resignation, along with the lawyer that reported to him.
“None of this should have happened, and I will not make excuses for it,” said Khosrowshahi.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business.”
It’s safe to say that Khosrowshahi has a rocky road ahead of him.
“The latest news about the data breach is just one of many legacy bad decisions that Khosrowshahi has had to inherit since Kalanick was ousted from the company in June. The company is facing several other federal investigations into its business practices and is preparing to stand trial against accusations of trade secret misappropriation by its rival Waymo next month,” writes Forbes.
“Mr. Khosrowshahi’s decision to publicly announce the data breach — during a holiday week as the US celebrates Thanksgiving — represents an effort to get skeletons out of the closet during the first months of his tenure,” writes Financial Times.
Apparently, trying to hide cyber breaches at companies is more common than you think.
“Developers make mistakes on the cloud infrastructure, and hackers take advantage of that,” said Kobi Ben-Naim, the head of the cyber research lab at CyberArk to the Times of Israel.
Author’s note: This is another example of how irresponsible a technology company can be. Uber should have alerted those affected as soon as possible, instead of waiting a WHOLE year. Now the company’s PR nightmare is going to be even worse because Uber executives tried to hide it from their employees and customers.
Editor’s note: Our privacy is under attack, no one seems to care the damage it does to the victims.