For most of 2016, hackers had access to Uber's user data, including names, email addresses, and phone numbers. But the news didn't come to light until today, when the company let both users and drivers — whose information was also compromised — know through a blog post.
Why did it take so long? According to Bloomberg, Uber spent much of the time between late 2016 and 2017 paying off the hackers to keep the entire thing under the radar.
Chief Security Officer Joe Sullivan has been fired over the ordeal, which involved paying the pair of hackers $100,000 to delete the info they had stolen. Mashable notes that during the hack, Uber was actually in talks with U.S. regulators to discuss other privacy concerns. Legally, Uber has to let users know exactly what happened. Sullivan's failure to disclose the hack after finding it was part of why he was terminated.
AdvertisementADVERTISEMENT
The hackers got into the company's cloud storage using data on GitHub. After they accessed the archive of user data, they demanded cash from Uber.
The details of how Uber got hacked (Uber engineers left their AWS keys on Github) don't do much to inspire confidence in their cybersecurity practices. This is the equivalent to: left the keys to the safe in the front door.
— Sheera Frenkel (@sheeraf) November 21, 2017
Uber's current CEO, Dara Khosrowshahi, wasn't in charge when the incident went down. In the blog post, he assures users and drivers that the information wasn't actually used and that the company has taken the time to strengthen security in the cloud-based storage system that was breached.
"None of this should have happened, and I will not make excuses for it," Khosrowshahi said in a statement to Bloomberg. "We are changing the way we do business. While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
Khosrowshahi is offering free credit monitoring for the affected drivers and monitoring all the leaked accounts for fraud. Uber also hired Matt Olsen, formerly of the National Security Agency and director of the National Counterterrorism Center, to make sure that moving forward, everything stays on the straight and narrow.
Bloomberg reports that New York Attorney General Eric Schneiderman — who fined Uber $20,000 in 2014 for not disclosing a different privacy breach — has already launched an investigation to the hack.
Read These Stories Next: