Uber Paid Hackers $100,000 To Cover Up Data Breach Of Over 5 Crore Passengers And Drivers
November 22nd, 2017
According to a report by The Reuters, Uber Technologies Inc. paid hackers $100,000, to keep secret a massive breach last year that exposed the personal information of over 5 crore accounts of passengers and riders, the company said on Tuesday.
Uber concealed the hack which had affected 57 million customers and drivers for more than a year. This week, the cab-hailing firm ousted its chief security and one of his deputies for their roles in keeping the hacks undercover, including the payment to the hackers.
What is the data breach
Compromised data from the breach included names, email addresses and phone numbers of over 50 million Uber riders from around the world. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.
At the time of the hacking incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and drivers whose license numbers were taken. The company had, however, paid the hackers and kept quiet about the breach.
Uber claims that the information was never been used and they declined to disclose the names of the hackers.
In a report by the Bloomberg, Dara Khosrowshahi who took over as Chief Executive Officer in September said, “None of this should have happened and I will not make excuses for it,” said in an email. He said that he had recently learnt about the hack. He further added, “While I can’t erase the past, I can commit on behalf every Uber employee that we will learn from our mistakes. We are changing the way in which we do business. We are putting integrity at the core of our every decision we make and working hard to earn the trust of our customers.”
Although payment to hackers is rarely publicly discussed, U.S. Federal Bureau of Investigation officials and private security companies have told Reuters that an increasing number of companies are paying criminal hackers to remove stolen data. Uber has a history of failing to protect customer and driver’s data. Hackers previously stole information about Uber drivers and the company acknowledged in 2014 that its employees had used a software called “God View” to track passengers.
How was the information hacked?
Two hackers got access to proprietary information stored on GitHub. The GitHub is a service which allows engineers to collaborate on software code. Uber said the two hackers stole its credentials for a separate cloud-service provider from where they were able to download rider’s and driver’s data. A spokesperson from the GitHub said that it was not the failure of GitHub’s security which lead to the hack.
This hack comes as another controversy on top of allegations about sexual harassment and a lawsuit alleging theft of trade secrets. These multiple federal culminated probes resulted in Travis Kalanick’s expulsion in June from the $68 billion startup Uber.
Filing a lawsuit
After Uber disclosed the news on Tuesday, New York Attorney General Eric Schneiderman launched an investigation into the hack, said a report by the Bloomberg. His spokeswoman Amy Spitalnick said, that the company was sued for negligence over the breach by a customer seeking class-action status. “Uber failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach,” according to a complaint filed Tuesday in a federal court in Los Angeles. The lawsuit seeks to represent all Uber drivers and customers in the U.S. whose information was stolen.
Representatives of the San Francisco-based company didn’t immediately respond to a request for the comment on the lawsuit.
According to a report by The Guardian, an Uber driver in Pittsburgh, Robert Judge said, “The hack and the cover-up are typical Uber, only caring about themselves. I found out through the media. Uber doesn’t get out in front of things, they hide them.”
Uber assured that its passengers need not worry as there was no evidence of fraud. Uber also said that drivers whose license numbers have been stolen would be offered identity theft protection and credit monitoring.
The Logical Indian community condemns Uber’s act of covering up the data breach. This data breach can pose a threat to millions of drivers and riders who use the app on a daily basis for their commute.