Uber has confirmed that it hid a massive data breach affecting over 57 million customers and drivers.
The hack occurred in 2016. The taxi service paid the hackers in the region of £75,000 to delete the data.
According to widespread reports, the firm’s former CEO Travis Kalanick learnt about the breach over a year ago.
According to a post on Uber’s website: “Rider information included the names, email addresses and mobile phone numbers related to accounts globally. Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.”
Uber also states that affected individuals need take no special action as a result of the breach, however Computing would advise paying careful attention to credit card and other forms of financial transaction over the next few months.
Commenting on the breach, Rik Ferguson, Vice President Security Research at Trend Micro said:
“There is no question that the previous management and security team at Uber failed in their responsibility to their drivers, to regulators, to justice and above all to their customers, and that’s a pretty long list.
“However certain those responsible may have been that their attackers had been silenced, digital theft does not work the same way as in the physical world, you can never ‘buy back the negatives’ once data has been stolen.
“It is heartening to see the new management team come clean about the breach, but I remain concerned at some of the wording in Mr. Khosrowshahi’s blog. He appears to distance Uber’s ‘corporate systems and infrastructure’ from the ‘third-party cloud-based service’ that was the target of the breach. This is perhaps indicative of the root of the problem. Cloud services adopted by a business are corporate systems and infrastructure and from a security perspective should be treated as such.”
Sam Curry, Chief Security Officer for Cybereason, criticised Uber for paying to cover up the breach.
“Who watches the watchers? The truly scary thing here is that Uber paid a bribe, according to news reports, essentially a ransom to make this breach go away and they acted as if they were above the law. Those people responsible for the integrity and confidentiality of the data, in-fact covered it up.
“To all outward appearances, the new CEO and management team are doing the right thing and making the difficult choices. However, difficult consequences still have to follow. And above all, this is a wake up call to the industry that CSO’s have a responsibility not just to the companies that they work for, but the people whose data is affected.
“In other words, Joe Sullivan and crew, should have acted in the interest of the public good and public safety and made these tough choices far, far sooner. It’s time not to let another Equifax, Deloitte, etc happen and to leave no grey area to security officers as to what the right thing to do is.”
Save this article