Uber has disclosed that the information of over 57 million of Uber users and drivers accounts was stolen in October last year. The company paid $1,00,000 to the hackers and kept this breach a secret.
Uber has said Tuesday via a public statement that the company had fallen prey to a massive security breach in late 2016. Calling it “2016 Data Security Incident” Uber’s newly announced CEO, Dara Khosrowshahi, informed that over 50 million of its consumers’ data was stolen along with over 6 million of licenses from Uber drivers. Though the company took appropriate measures and made sure that the stolen data was destroyed at hackers’ end and was not misused at all.
The full details of the breach are not given by the company, however, as reported in Bloomberg, this is how the attack took place,
Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money.
The decision makers at that time paid $1,00,000 to the hackers and kept this breach a secret.
Now, the biggest question is "why the company is talking about it now?";. Well, as stated in the statement, “we have to be honest and transparent as we work to repair our past mistakes…”, the company now wants to be fair to its client so as to repair its damaged brand reputation among the users.
Dara Khosrowshahi has ensured that he has taken certain measures to avoid such kind of instances in coming future, (at least, during his tenure).
- “I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
- We are individually notifying the drivers whose driver’s license numbers were downloaded.
- We are providing these drivers with free credit monitoring and identity theft protection.
- We are notifying regulatory authorities.
- While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.”
Here are the aftereffects of the public disclosure of the breach that happened a year ago.
The CSO of Uber along with his assistant is fired from his post; an investigation has been set to check into the hack; the company has been sued for negligence over the breach by a customer seeking class-action status.