Uber hid massive data breach for over a year

Uber’s office in San Francisco. The company disclosed Tuesday it was the victim of a hack more than a year ago and that it fired its chief security officer, Joe Sullivan, for keeping the breach a secret for more than a year. less Uber’s office in San Francisco. The company disclosed Tuesday it was the victim of a hack more than a year ago and that it fired its chief security officer, Joe Sullivan, for keeping the breach a secret for ... more Photo: RYAN YOUNG, NYT Photo: RYAN YOUNG, NYT Image 1 of / 1 Caption Close Uber hid massive data breach for over a year 1 / 1 Back to Gallery

For more than a year, Uber concealed a massive data breach of personal information for 57 million customers and drivers worldwide, the ride-hailing company said Tuesday. Uber paid $100,000 to the two hackers behind the theft to destroy the data and stay mum about the break-in.

The data stolen in October 2016 included names and driver’s license numbers for 7 million drivers, 600,000 in the U.S., and names, email addresses and cell phone numbers for millions of riders. Uber said its forensic experts believe that credit card numbers, bank account numbers, Social Security numbers, dates of birth and trip histories were not compromised. The company said there is no evidence that the hacked data was used for fraudulent purposes.

Cybersecurity experts said Uber’s failure to notify affected individuals and disclose the breach to regulators showed a tremendous shirking of responsibility, and violated a California law requiring businesses to inform the state attorney general and people whose personal information was stolen.

Uber itself acknowledged the same.

MBA BY THE BAY: See how an MBA could change your life with SFGATE's interactive directory of Bay Area programs.

“None of this should have happened, and I will not make excuses for it,” wrote Uber CEO Dara Khosrowshahi in a blog post. The company said it is now notifying regulators, contacting affected individuals and providing a year’s worth of free credit monitoring and identity theft protection to affected drivers. It’s also monitoring affected accounts for fraud protection.

Uber’s board recently discovered the hack after commissioning a probe by an outside law firm. The company this week fired its chief security officer, Joe Sullivan, along with one of his subordinates, for concealing the data breach.

Uber co-founder Travis Kalanick, who was ousted as CEO of the world’s most valuable startup in June, learned of the hack a month after it occurred, at a time when Uber was tussling with regulators over its data security, according to Bloomberg News, which first reported the breach. Kalanick was replaced by Khosrowshahi in August after a scandal-plagued year.

An agency like the Federal Trade Commission could sanction Uber if it found that the company’s actions conflicted with assurances in its privacy policy. Criminal charges against Kalanick and Sullivan for their alleged role in covering up the breach are not out of the question, legal experts said.

It is the cover-up, rather than the hack itself, that is likely to further tarnish the company’s battered reputation.

“Am I surprised that Uber was broken into?” said Steven Weber, a UC Berkeley professor of information science. “No, I’m not. Some people facetiously say there are two kinds of companies: Those that know they’ve been hacked, and those that don’t know.”

Major companies including Yahoo, Equifax, Target and Anthem have been targeted in recent hacks that uncovered far more information than was gained in the Uber break-in.

But not disclosing the breach is likely to exacerbate the public’s lack of confidence in Uber, Weber said. “Let this be a lesson to other companies that find out they’ve been attacked and want to try to fix the problem without anyone finding out,” Weber said. “People will find out, and when they do, they will be really pissed. It’s better to be honest.”

Weber is also director of Berkeley’s Center for Long-Term Cybersecurity. Sullivan, the former Uber security chief, sits on the center’s advisory board. Weber said the group doesn’t yet know how it will handle the revelations about Sullivan.

Uber’s payment of hush money to hackers sounds shocking, but experts were divided about how egregious it was.

“I hear quiet rumors it happens sometimes, but it raises concerns about encouraging more criminal activity,” said David Wagner, a UC Berkeley professor of computer science.

But Weber said the payout strikes him as similar to paying to remove ransomware from a computer. “If they believed that by paying $100,000 ransom they could verify that the data had been deleted and protect their business and their users, that might have been a plausible thing to do,” he said.

Khosrowshahi is handling the situation appropriately, experts said. His words and actions “sound responsible and mature,” Wagner said. “Good for him about being up front and disclosing the situation.”

Harry Campbell, an Uber driver who runs the Rideshare Guy blog and podcast, said he hadn’t yet received any proactive notice about the breach. His driver app shows a link to “check on my status,” which he clicked. “Sure enough, it looks like I was hacked,” he said in an email. “Seems strange that you have to opt in to find out if you were hacked.” Uber said it is now in the process of emailing affected people.

Mark Simmerman, a senior security engineer at Intivix, an IT consulting firm in San Francisco, said Uber’s breach underscores the need for a national standard for cybersecurity attacks.

The patchwork of state laws regulating data breaches, Simmerman said, have fostered an environment in which companies can be cavalier with customer data and rarely face serious consequences.

“We have really reached a tipping point where a national law needs to be passed with standards and penalties so that when large enterprises have to react, even if they’ve done nothing wrong, they have clear guidance about how they might notify anyone affected by the breach and how to work with law enforcement, if that’s necessary,” he said.

Carolyn Said and Dominic Fracassa are San Francisco Chronicle staff writers. Email: csaid@sfchronicle.com, dfracassa@sfchronicle.com Twitter: @csaid, @dominicfracassa