Uber pays ransom, covers-up data breach
An Uber spokesperson reported that it fired its chief security officer
Photo: Getty Images News embed/studioEAST
Uber concealed October 2016 breach and $100k ransom paid to hackers; federal probes, lawsuits launched
LOS ANGELES (MNS) — Ride sharing giant Uber, may have imperiled the secure personal data of millions of its riders and drivers after the company learned of a data breach by hackers in 2016, but failed for more than a year to report it, notify customers and drivers, or inform the general public.
Instead of promptly reporting the data breach to regulators when it learned of it in October 2016, Uber paid a reported $100,000 ransom to two hackers to conceal the breach and didn’t report the crime until Nov. 21, 2017.
The stolen data is said to include names, email addresses, and telephone numbers of 57 million Uber customers, as well as 600,000 driver’s license numbers of Uber drivers. Uber claims no social security numbers were breached.
Beyond that, it is unknown how much additional personal information was also accessed.
An Uber spokesperson reported that it fired its chief security officer and is investigating the breach with federal authorities. As of this writing, the breach has drawn two lawsuits seeking class-action status.
One suit, filed in Central District Court of California by Alejandro Flores of Los Angeles, on behalf of Uber customers and drivers, highlights that more than twelve months passed before the incident was disclosed to the public.
New reports, citing confidential Uber sources, suggest new Uber CEO Dara Khosrowshahi learned of the hack in September, two weeks after assuming his post. The breach was reported to potential investor SoftBank months ago, but not to the public.
Uber has been buffeted by legal, regulatory and personnel problems that led to the ouster of UCLA dropout Travis Kalanick from the C-suite in June, 2017.
In 2014, Uber reached a settlement with the Federal Trade Commission over a hack that exposed driver information. The settlement imposed 20 years of independent audits upon the company, to assess the effectiveness of its data-security.