Uber announced that personal information regarding 57 million of its riders and drivers was stolen in 2016. The company initially covered up the data theft by paying the hackers $100,000 in exchange for deleting their copy of the information and signing non-disclosure agreements. But after a board of directors investigation into its business practices—and a subsequent report on the hack from Bloomberg—Uber finally disclosed the theft.
The affected information includes the names, email addresses, and phone numbers of 50 million Uber riders and 7 million drivers. Another 600,000 of the company's drivers ("driver-partners," natch) had their driver's license numbers compromised. Uber said it will notify the drivers whose license numbers were stolen and give them free credit monitoring and identity theft protection; it didn't say if it plans to contact riders.
The company was careful to note that none of this information was stolen from its own infrastructure. Instead, it was taken from a "third-party cloud-based service." According to Bloomberg, the service in question is Amazon Web Services, and the attackers didn't so much compromise the service as they stole credentials Uber engineers stored unprotected on GitHub. With those credentials in hand, the data was easy to grab.
Worse than the negligence was Uber's (almost successful) attempt to cover up the theft. In addition to paying the hackers $100,000 to delete the information and sign non-disclosure agreements, Uber also disguised the payment as part of its bug bounty program and failed to disclose it to regulators investigating its security practices. Incoming CEO Dara Khosrowshahi also wasn't informed of the incident when he was hired in June.
Khosrowshahi said in his blog post:
You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions [...] None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.
The actions include: bringing on Matt Olsen, former general counsel of the National Security Agency and director of the National Counterterrorism Center, to advise him on how to lead his security team; firing chief security officer Joe Sullivan and legal director of security and law enforcement Craig Clark, per The New York Times; notifying affected drivers and giving them fraud protection; and flagging other affected accounts.
Uber's breach clearly pales in comparison to those at Equifax, Yahoo, and other companies that collected more detailed information about far more people. But its response to this breach highlights the company's leadership style of begging forgiveness instead of attempting to do the right thing—i.e., not paying off hackers and then hiding the payment from the world—from the get-go. Perhaps Khosrowshahi will change that.