He said that a hacker duo compromised a third-party cloud server the company was using. The incident exposed the personal data (including names, emails, and phone numbers) of around 57 million Uber customers living in different countries. Also, the names and driving license numbers of 600,000 Uber drivers in the US were downloaded by the hackers.
In addition to keeping their lips tight on the matter, Uber made a $100,000 payoff to the hackers against the condition of not disclosing the data reach and destroying the compromised data.
According to Uber, the hackers compromised a private GitHub account and harvested the log-in credentials of an AWS account used by Uber. They discovered a data archive in the AWS account and later asked Uber to pay money, Bloomberg reports. The company also failed their legal obligation for alerting the government bodies and affected.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed,” said Khosrowshahi in his blog post.
Uber claims that information such as trip location history, credit card numbers, bank account numbers, Social Security numbers, and birthdays wasn’t affected as a part of the Uber data breach, which is not known to affect the company’s corporate network.
Till now, the company believes the data hasn’t been misused or acted as the cause of any fraud and the riders don’t need to take any action. They have fired two employees this week “who led the response to this incident” which includes keeping the data breach undisclosed and paying money to the hackers.
Uber’s recent disclosure of the year-old massive data breach has raised alarms under the roofs of various authorities across the globe. Multiple authorities based in Australia, United Kingdom, and the Philippines have launched investigations to get a better insight of the matter, and possibly, what could be done next, the Guardian reports.
The company might have also prepared themselves for some class-action lawsuits. A customer has slapped the company with a suit in a federal court in Los Angeles. It seeks a class action status by including all the customers and drivers affected in the US.
Uber is the latest company to unzip their mouth on the data breaches of the past. In comparison, their case may not have scaled to the level of Yahoo and Equifax, but what’s saddening is their response to the breach. All of this questions how the company intends to protect the privacy and security of its customers and drivers. By keeping them in the dark?
“None of this should have happened, and I will not make excuses for it,” all Uber’s new CEO, who took his position in September this year, could say in the end.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
What are your views on the Uber data breach? Drop your thoughts in the comments.