Uber paid hackers $100,000 to hide year-old breach of 57 million users

Elizabeth Weise | USA TODAY

Show Caption Hide Caption Uber: Two employees fired for paying hackers to keep breach a secret Ride service app Uber is is hot water once again.

SAN FRANCISCO — Personal information belonging to about 57 million Uber customers and drivers was stolen by hackers last October, a breach the company kept hidden for a year and for which its chief security officer was fired this week.

The stolen data included names, email addresses and phone numbers of 50 million Uber riders and 7 million drivers. The drivers’ stolen information also included 600,000 US. drivers' license numbers, CEO Dara Khosrowshahi said in a statement.

"You may be asking why we are just talking about this now, a year later. I had the same question," Khosrowshahi wrote.

After asking for an investigation, Uber discovered that instead of notifying regulators and the affected individuals it had "identified the individuals and obtained assurances that the downloaded data had been destroyed," he wrote.

More: USA TODAY's list of the biggest data breaches and hacks of all time (Hint: Uber's only #12)

Bloomberg reported Tuesday afternoon that the company actually paid the hackers $100,000 to delete the data and keep mum about it.

It’s not unheard of for companies to pay ransom if their computers are locked up due to ransomware, said Ben Johnson, chief technology officer for the computer firm Obsidian Security.

“Payment can occur and is usually tied to a specific demand,” he said.

Uber: Info from 57 million clients, drivers at risk Use Uber? Your personal information might be at risk! In a public statement, Uber's CEO confirmed that information belonging to about 57 million customers and drivers was stolen by hackers.

That said, “paying off hackers to keep them quiet and avoid breach disclosure laws is pretty rare and another matter altogether,” he noted.

It’s also not a smart tactic, said Paul Lipman, CEO of antivirus company BullGuard.

" If you pay a hacker’s ransom, what guarantee do you have that they'll really delete your data? You can hardly rely on a cybercriminal to hold up their end of that bargain. Furthermore, it just serves to encourage further hacking, making all of us less secure.”

The New York State Office of the Attorney General has opened an investigation into the newly revealed breach, said press secretary Amy Spitalnick.

Khosrowshahi in his blog post said that "effective today, two of the individuals who led the response to this incident are no longer with the company."

Those individuals were chief security officer Joe Sullivan and fired Craig Clark, a senior lawyer who reported to Sullivan, Bloomberg said.

Uber did not respond to a request for comment for more details about the allegations.

In a statement to its users, Uber said it did not believe they needed to take action. "We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection," the statement read.

The breach began when attackers accessed Github.com, a website used by software engineers, and obtained login credentials there for information stored on an Amazon Web Services account controlled by Uber, Bloomberg said. In that account they found an archive containing rider and driver data.

That is similar to a 2014 case in which an Uber engineer put an access ID for Uber’s third-party cloud storage on Github.com, a website for software engineers. The post that was accessible to the general public, according to NY AG Schneiderman. In May, someone unaffiliated with Uber accessed the database, including Uber driver names and license numbers.

Uber discovered the breach in September 2014 but did not provide notice to the affected drivers or Schneiderman’s office until six months later, the Attorney General’s office said.

Uber agreed to pay a $20,000 penalty for failure to provide timely notice of the breach to drivers and the Attorney General.

More: Colorado hits Uber with $8.9 million fine over shady drivers

More: Uber admits its ghost driver 'Greyball' tool was used to thwart regulators, vows to stop

More: Uber says stolen self-driving car files never touched its servers

More: Victim in Uber India rape case may take action, her attorney says

Previous troubles

The fine comes as the ride-hailing company continues to be targeted by lawsuits for assault against its contractor drivers and struggles to polish a brand image tarnished by reports of systemic sexism and dodgy ethics that toppled cofounder and CEO Travis Kalanick earlier this year. He is still on Uber's board.

Uber had a history of playing fast and loose with regulators as it quickly grew from start-up to the dominant player in ride hailing. In Portland, Ore. it created and used a tool called “greyballing” in 2014 to thwart attempts by city regulators attempting to track the service.

Uber also came under fire during an investigation by Schniederman that it had created what was known as the "God view" to allow it to track riders and that it used the system at least once to track a reporter.

The company also fired executive Eric Alexander after press reports emerged that he had flown to India and illegally obtained the medical records of a woman who was raped by her Uber driver there, in an attempt to discredit her.

The former autonomous vehicle unit of Google, Waymo, has sued Uber, saying it hired former Google engineer Anthony Levandowski, who stole 14,000 files of trade secrets before leaving Google in January 2016. The suit alleges the files helped Uber improve its LiDAR technology. Uber has countered that the suit is just an attempt to stall a competitor in the potentially lucrative race for autonomous car tech.

Contributing: Marco della Cava

Follow Elizabeth Weise on Twitter @eweise