Uber’s disclosure that hackers accessed the personal information of 57 million riders and drivers last year, a breach it didn’t disclose publicly until Tuesday, adds new potential legal woes for the already troubled company.
At the time of the breach, Uber paid hackers $100,000 to destroy the data and did not tell regulators or users that their information was stolen.
Uber is trying to salvage its reputation following a number of high-profile controversies, including using software called Greyball to evade regulators, a court battle over allegedly stolen secrets from Google’s self-driving car division, and a slew of complaints regarding sexual harassment and toxic company culture.
Uber CEO Dara Khosrowshahi said two hackers broke into the company in late 2016 and stole personal data, including phone numbers, email addresses, and names, of 57 million Uber users. Among those, the hackers stole 600,000 driver’s license numbers of drivers for the company.
Khosrowshahi says hackers accessed the data through a third-party, cloud-based service. According to Bloomberg, they got into Uber’s GitHub account, a site many engineers and companies use to store code and track projects. There, hackers found the username and password to access Uber user data stored in an Amazon server.
Jeremiah Grossman, chief of security strategy at security firm SentinelOne, says this was not a sophisticated hack. Companies frequently accidentally keep credentials in source code that is uploaded to GitHub, he said.
The $100,000 payment
Instead of alerting users and authorities to the breach as required by law, Uber paid the hackers $100,000.