After suffering from a massive breach that had the data from 57 million riders and drivers stolen, Uber paid the hackers to conceal the event which was kept a secret until now.
The huge hack took place in October 2016 and only now the ride-hailing giant came forward and made the official announcement.
The stolen data included names, email addresses and phone numbers of 50 million Uber customers as well as the personal information on seven million Uber drivers, including around 600,000 driver’s license plates.
Uber claims that no social security numbers, credit card information, trip location details or other were taken during the attack. The company also says that it paid the two individuals responsible for the attack $100,000 in order to delete the stolen data and remain quiet.
Drivers who had their license numbers exposed are being individually notified, with Uber providing them with free credit monitoring and identity theft protection. The company is also in contact with regulatory authorities.
Uber has fired its chief security officer Joe Sullivan and one of his deputies for their role in keeping the breach a secret. During the time of the attack, Uber was in the middle of negotiations with U.S. regulators who were investigating separate claims of privacy violations.
The ride-hailing firm now acknowledges it had a legal obligation to report the hack to authorities and to the affected drivers. Instead, they decided to pay the hackers in order to delete the data and remain silent about the attack.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes”, said Dara Khosrowshahi who became Uber’s Chief Executive Officer last September and claims he didn’t learn of the attack until recently.
“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Following Uber’s announcement, NY Attorney General Eric Schneiderman launched an investigation into the hack while Uber was also hit with a lawsuit over the breach by a customer, seeking class-action status.
What should you do about it?
Uber drivers can find out if their data was stolen on this link. Uber says that the affected accounts belonging to riders are currently monitored and have been additionally updated with extra fraud protection but there’s currently no official way of finding out if your rider’s account has been breached.
Uber claims that outside forensic experts “have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded”.
That’s not exactly reassuring so you may want to take some real precaution measures, like changing your password, set up credit monitoring, going through your accounts for any suspicious activity and even issuing a credit freeze to allow you complete control over new transactions.