Uber has disclosed that hackers had stolen 57 million driver and rider accounts and that the company had kept the data breach secret for more than a year after paying a $100,000 ransom.
The deal was arranged by the company’s chief security officer and under the watch of the former chief executive, Travis Kalanick, according to several current and former employees who spoke on the condition of anonymity.
“None of this should have happened, and I will not make excuses for it,” said a statement from chief executive Dara Khosrowshahi, who took over at the ridesharing giant in August.
Two members of the Uber information security team who “led the response” that included not alerting users that their data was breached were let go from the San Francisco-based company effective on Tuesday, according to Khosrowshahi.
The Uber chief said he only recently learned that outsiders had broken into a cloud-based server used by the company for data and downloaded a “significant” amount of information.
Stolen files included names, email addresses, and mobile phone numbers for riders, and the names and driver license information of some 600,000 drivers, according to Uber.
Uber reportedly paid the hackers 100,000 to destroy the data, not telling riders or drivers whose information was at risk, according to a source familiar with the situation.
Co-founder and ousted chief Travis Kalanick was advised of the breach shortly after it was discovered, but it was not made public until Uber’s new boss Khosrowshahi learned of the incident.
“You may be asking why we are just talking about this now, a year later,” Khosrowshahi said. “I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.”
Khosrowshahi reportedly said that what he learned about Uber’s failure to notify users or regulators prompted corrective actions. Uber is notifying drivers whose license numbers were swiped, and offering them credit and identity theft protections.
The company also said it is notifying regulators, and monitoring affected rider accounts for signs of fraud. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi reportedly said. “We are changing the way we do business.”