Hackers stole the personal data of 57 million Uber customers and drivers over the course of a year, the company admitted in a blog post Tuesday.
Of course, Uber being Uber, there’s more to the story.
Instead of owning up to the issue, the chief security officer of the company covered it up and paid out $100,000 to the hackers, according to Bloomberg.
The data breach included names, email addresses, and phone numbers of about 50 million Uber riders and the personal information of 7 million drivers. Bad news: it included 600,000 license numbers. Good news: no social security numbers and no details about rides. And there have been no signs of fraud, according to Uber.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” the blog post reads.
In response, Uber fired Chief Security Officer Joe Sullivan this week, Bloomberg reported. He was one of the few remaining C-suite executives from the Travis Kalanick era. Several executives have been pushed out recently over a variety of issues including sexual harassment allegations. Others, like former Uber president Jeff Jones, have left on their own accord.
To cover up the data breach, Uber had paid the hackers $100,000 to delete the data and stay quiet, according to Bloomberg. The details and the subsequent firing of the CSO are only being made public due to a legal obligation.
Of course, Uber’s CEO Dara Khosrowshahi, who was not in charge during the time of incident is not happy.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in an emailed statement to Bloomberg. “We are changing the way we do business.”
It’s just the latest in a sea of scandals Uber has faced in the last year. Khosrowshahi has inherited them after taking on the role of CEO in September. The U.S. Justice Department is investigating at least five criminal probes, including using illicit software, stealing intellectual property, and bribing, Bloomberg reported last month.
The data breach was uncovered via an investigation conducted by an outside law firm into Uber’s security team. Uber’s board had commissioned that investigation last month.
The details of how Uber got hacked (Uber engineers left their AWS keys on Github) don’t do much to inspire confidence in their cybersecurity practices. This is the equivalent to: left the keys to the safe in the front door.
— Sheera Frenkel (@sheeraf) November 21, 2017
In response to this revelation of the hack and the subsequent coverup, Khosrowshahi requested the resignation of Sullivan and also fired senior lawyer Craig Clark, according to Bloomberg. Uber’s former chief legal officer Salle Yoo, who already announced her departure, was not aware of the matter.
According to Khosrowshahi, Uber took steps to prevent a breach like that from happening again. But that’s not enough going forward as he and a new team trying to wipe the grime from Uber’s tarnished brand.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” he wrote in the blog post.
As part of Khosrowshahi’s effort to put Uber on a legally sound path, the company hired Matt Olsen, formerly general counsel at the National Security Agency and director of the National Counterterrorism Center, as an adviser.
Uber will notify all drivers who license numbers were downloaded and provide them with free credit monitoring and identify theft protection, Khosrowshahi also shared in the blog post.