When Uber Discovered A Major Security Breach, It Paid Hackers To Keep It A Secret: Report
Uber has made a groundbreaking revelation.
On Tuesday, Nov. 21, the ride-hailing company disclosed that hackers had stolen 57 million customer and driver accounts and that it paid them $100,000 to keep them quiet about the breach.
According to several former and current employees who asked to remain anonymous, the arrangement was handled by Uber's chief security officer under the watch of Travis Kalanick, then the company's CEO.
Uber Paid Hackers To Keep Quiet About A Massive Data Breach
The security officer in question, Joe Sullivan, has been fired, as The New York Times reports. Meanwhile, Kalanick is still with the company but was forced to resign in June following scandals that alleged Uber's workplace culture was sexist and full of power-hungry executives. He remains seated on Uber's board.
What They Stole
The two hackers stole phone numbers, email addresses, and even names from a third-party server, admitted Uber CEO Dara Khosrowshahi in a statement. The driver's license numbers of about 600,000 U.S. drivers were also included. The hackers then approached Uber for a $100,000 ransom. Uber met the demands, but went further: it tracked down those hackers and forced them to sign nondisclosure agreements. Uber didn't stop there, however.
To conceal the security breach even further, Uber executives made it appear as if the hack was the result of a bug bounty program, a common practice among companies in which they promise hackers certain amounts of money if they find security flaws within their products or services.
Uber waited until Nov. 21 to reveal the breach to New York's attorney general and the Federal Trade Commission, the country's top consumer watchdog, according to Bloomberg. It comes as the latest in a series of massive data breaches that raise crucial questions about companies' ability to keep consumer data safe from prying hands.
Massive Data Breaches
In October, Yahoo revealed that 3 billion of its users' accounts were breached. In September, credit bureau Equifax admitted that information belonging to 145.5 million people may have been compromised, starting widespread controversy and furor. Uber's new revelation comes at a pivotal transitional period for the company, as it's still picking itself up again from the exhaustion brought about by Kalanick's strained leadership.
"None of this should have happened, and I will not make excuses for it," said Khosrowshahi.
The Uber CEO said he's now seeking help from Matt Olsen — a cofounder of a cybersecurity consulting firm, former general counsel of the National Security Agency, and director of the National Counterterrorism Center — to guide him on how to improve the company's security structures in the future.