Uber’s Data Breach Cover Up, CEO Responds

Uber’s CEO Dara Khosrowshahi has responded to the ridesharing company’s latest controversy that saw Uber covering up a massive data breach in October 2016 and paying the two hackers $100,000 to keep quiet.

“None of this should have happened, and I will not make excuses for it,” said Khosrowshahi in a statement.

Last year, two people downloaded a batch of personal user and driver data that Uber stored on GitHub, a third-party cloud-based service.

The stolen information included the names, email addresses and mobile phone numbers of 57 million Uber users around the world. The names and driver’s license numbers of roughly 600,000 U.S. drivers were also downloaded.

But that was something Uber covered up instead of notifying users and regulators that personal information was compromised. It was only until Bloomberg News reported the data breach on Tuesday that Uber issued a statement to inform the public of the incident.

Bloomberg reported Uber’s chief security officer, Joe Sullivan, and one of his deputies concealed the breach. Uber has since fired both men.

“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it,” said Khosrowshahi.

While Khosrowshahi only took over the chief executive role in August, he said Uber took immediate steps at the time of the incident to both secure the data and shut down further unauthorized access.

“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts,” he explained.

Khosrowshahi outlined the new actions Uber is taking today to rectify the company’s failures to adequately handle the data breach last year.

Uber will individually notify affected drivers—and providing those drivers with free credit monitoring and identity theft protection—as well as notify regulatory authorities. There have been no indications of fraud resulting from the data breach, but Khosrowshahi said Uber is monitoring affected accounts and flagging them for additional fraud protection.

However, the company hasn’t yet released how many users from the affected countries have had their data compromised.

Khosrowshahi did clarify what personal data was downloaded in the 2016 breach, stating outside forensics experts determined other highly personal information like credit card numbers, bank account numbers, Social Security numbers or dates of birth weren’t downloaded.

Meanwhile, regulators in the U.S. and U.K. are opening their own investigations, according to Reuters.