Uber confirms hack, cover-up affecting 57 million users, including 600K U.S. drivers

Posted: Updated:
In this Wednesday, March 15, 2017, file photo, an Uber car drives through LaGuardia Airport in New York. (Source: AP Photo/Seth Wenig, File) In this Wednesday, March 15, 2017, file photo, an Uber car drives through LaGuardia Airport in New York. (Source: AP Photo/Seth Wenig, File)
PHOENIX (3TV/CBS 5) -

Uber’s CEO on Tuesday confirmed that the company was hacked in a huge data breach that was kept under the radar for more than a year.

“[T]wo individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” Dara Khosrowshahi wrote on Uber’s website. “The incident did not breach our corporate systems or infrastructure.”

[READ: Uber's entire statement]

It happened in October 2016, but the company did not alert anybody -- not the victims and not regulators.

[READ MORE: Uber covered up cyberattack that exposed data of 57 million users]

"Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded," he continued. "However, the individuals were able to download files containing a significant amount of other information ...."

  • Names and driver license numbers of 600,000 U.S. drivers
  • Names, email addresses and mobile phone numbers of 57 million users around the world

According to Bloomberg, former CEO and Uber co-founder Travis Kalanick learned about the hack a month after it happened. Bloomberg reports that the company paid a $100,000 ransom to the hackers to delete the information they stole in an attempt to keep the incident quiet. The company has not confirmed that.

"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," Khosrowshahi wrote on Tuesday. "We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed."

Khosrowshahi, who was Expedia's CEO before moving to Uber in August, also talked about why we are just hearing about this now, a year later.

"I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it," he said.

He also outlined actions he has taken in light of Uber's  "... failure to notify affected individuals or regulators last year."

In addition to dismissing two of the people who initially responded to the hack -- including the chief security officer, according to Bloomberg -- Khosrowshahi said he is working with a cybersecurity consulting firm to structure its in-house security team and develop processes for handling such issues going forward.

He also said the company is notifying the individual drivers whose information was compromised, as well as providing them with credit monitoring and identity theft protection for free.

The company will be "monitoring the affected accounts and [has] flagged them for additional fraud protection."

"We encourage all our users to regularly monitor their credit and accounts, including their Uber account, for any issues," advises the Uber website. "Please let us know via the Help Center if you see anything unexpected or unusual related to your Uber account." 

To do that, start by tapping Help in your Uber app.

  • "Account and Payment Options" > "I have an unknown charge" > "I think my account has been hacked"

[UBER.COM: Information about 2016 Data Security Incident]

Uber, which is based in San Francisco, celebrated its fifth anniversary in Phoenix earlier this month.

News of the October 2016 hack comes on heels of news that Colorado regulators levied a nearly $9 million fine against Uber's parent company for allowing individuals with previous felony convictions or major traffic violations, including drunk driving, to drive for the company.

"Colorado state law prevents people with felony convictions, alcohol or drug-related driving offenses, unlawful sexual offenses and major traffic violations from working for rideshare companies," according to The Associated Press.

[READ MORE: Uber faces $8.9 million fine for nearly 60 problem drivers]

MORE STORIES ABOUT UBER

Here is the full statement from Uber

As Uber’s CEO, it’s my job to set our course for the future, which begins with building a company that every Uber employee, partner and customer can be proud of. For that to happen, we have to be honest and transparent as we work to repair our past mistakes.

I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.

Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded. However, the individuals were able to download files containing a significant amount of other information, including:

  • The names and driver’s license numbers of around 600,000 drivers in the United States. Drivers can learn more here.
  • Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers. Riders can learn more here.

At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.

You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions:

  • I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
  • We are individually notifying the drivers whose driver’s license numbers were downloaded.
  • We are providing these drivers with free credit monitoring and identity theft protection.
  • We are notifying regulatory authorities.
  • While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.

None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.

[Click to pick up where you left off]


Click/tap here to download the free azfamily mobile app.

Copyright 2017 KPHO/KTVK (KPHO Broadcasting Corporation). All rights reserved.