A massive breach impacting 57 million Uber customers and drivers went undisclosed for more than a year.
According to Bloomberg, the ride-hailing app ousted its Chief Security Officer Joe Sullivan and one of his deputies for attempting to conceal the data breach.
The cyberattack, which dates back to October 2016, led to the exposure of 50 million Uber customer names, email addresses and mobile phone numbers from users across the globe.
Furthermore, roughly 7 million drivers were also affected, who had their driver’s license numbers stolen, as well.
The San Francisco-based company assured that trip location details, Social Security Numbers, or other personal data were not part of the breach.
“At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken,” reported Bloomberg.
What’s more, the company reportedly went to great lengths to try to cover up the incident, paying hackers upwards of $100,000 to dispose of the data and keep quiet.
A spokesperson told Bloomberg the hack was carried out as follows:
“Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money.”
In a statement notifying customers, Uber claims it has found no evidence of fraud or misuse tied to the incident but will continue to monitor affected accounts for additional fraud protection.
“None of this should have happened, and I will not make excuses for it,” current CEO Dara Khosrowshahi said.
“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers,” said Khosrowshahi.