Uber paid hackers $100,000; concealed data stolen of 57mn users
Uber is facing another PR nightmare. It has emerged that the company concealed a massive data breach affecting 57mn users/riders for a whole year. But the data hasn't been misused (yet): Uber paid the hackers $100,000 to delete the information. The said incident happened in October'16, when Travis Kalanick was CEO, and is one of the many scandals inherited by his successor Dara Khosrowshahi.
How did the attack happen?
In October'16, two attackers broke into a private GitHub site being used by Uber's engineers and recovered login credentials for its Amazon Web Services account. There, they found a detailed database of riders and drivers. Uber says only names, email IDs, phone numbers and drivers' license numbers had been accessed. Other data like social security numbers, location, credit card information and more were safe.
Why is Uber to blame here?
Uber's failure lied in not disclosing such a huge data breach to authorities as required by US laws. Ironically, around October'16, Uber had just settled a lawsuit with the NY attorney general over data security disclosures and was negotiating with FTC over handling of users' data. Moreover, that it had stored unencrypted data was "unforgivable", says Paul Lipman, CEO of cybersecurity firm BullGuard.
What is Uber doing about it now?
Uber has now fired two of its employees: Joe Sullivan, its chief security officer during the hack, and Craig Clark, a lawyer who reported to Sullivan. The company has said it would provide free credit monitoring and identity theft protection to all affected drivers. The NY attorney general has launched a probe into the attack. Meanwhile, a customer has sued Uber for negligence.
Uber faces severe accusations in many, many countries
Ironically, this isn't the first such occurrence at Uber: in 2016, Uber was fined $20,000 for not revealing promptly a 2014 data breach. Since starting in 2009, Uber has been accused of paying bribes, spying on its rivals, evading authorities, questionable pricing and more unethical practices. It is fully/partially banned in several countries including UK, Canada, Bulgaria, Denmark, France, Germany, Hungary, Italy and Australia.
