Uber has found itself in hot water. Again. Following months of headlines about the ride-hailing company being accused of intellectual theft and its drivers being charged with sexual assault, the tech unicorn has now revealed that Uber employees have been covering up a hack for over a year that saw information about 57 million users stolen.
The breach happened in October 2016 when outsiders managed to obtain the login credentials of Uber software engineers, giving the hackers access to the data of millions of the service’s users. The compromised information included things like names, email addresses and mobile phone numbers. Additionally, the data of around 600,000 drivers was also taken in the breach, including number-plate information and names. The hackers then demanded that Uber pay $100,000 for them to delete the data, something the tech firm complied with. Fortunately, the tech company has said that no social-security numbers, credit-card information, trip location details or other data was taken.
But even though the breach itself is dwarfed by the ones suffered by the likes of Yahoo and MySpace, Uber didn’t disclose to the public that its security had been compromised. However, it’s unclear exactly who was aware of the attack. According to Bloomberg, which first broke the story, Joe Sullivan, Uber’s chief security officer, lead the response to the hack and Craig Clark, the legal director of security and law enforcement who reported directly to Sullivan, also knew about the breach. Similarly, Travis Kalanick, the former CEO and co-founder of Uber who stepped down in June, was reportedly informed about it in November 2016. However, Uber has stated that others, like the outgoing chief legal officer Salle Yoo, didn’t know about the breach until its board commissioned an independent investigation into Sullivan’s conduct spearheaded by an external law firm, which unearthed the breach and drew it to the public’s attention. As a result of this discovery, the startup has ousted both Sullivan and Clark.
However, these actions may not be enough to satisfy authorities in several countries – including the US, Australia and the UK – who have now opened investigations into the breach. “Deliberately concealing breaches from regulators and citizens could attract [high] fines for companies,” said James Dipple-Johnstone, deputy commissioner at the Information Commissoners’ Office, the authority promoting openness by public bodies and data privacy for individuals. “It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.”
This is the latest scandal Uber’s new CEO Dara Khosrowshahi has inherited from his predecessor. Commenting on the hack, Khosrowshahi, said: “None of this should have happened and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Shortly after he stepped up to lead the struggling startup in September, Khosrowashahi told his employees to brace themselves as a painful six months lay ahead. And it definitely seems as if his prediction has been proven right.