Uber has been hiding about a massive security breach in its company since 2016 until this Tuesday when the ride-hailing company CEO Dara Khosrowashahi revealed about the incident in a blog post.
He said 2 hackers stole personal data of 57 million customers and drivers living in different countries from a third party cloud-based server that company is using. The compromised data included names, email addresses, and mobile phone numbers including the names and driver’s license numbers of around 600,000 drivers in the United States. However, the trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth weren’t downloaded by hackers.
Moreover, the company paid $100,000 to the hackers to keep quiet about the breach and delete the stolen data. Uber ensures that none of the stolen was misused but it did not reveal the identities of the hackers.
According to the company, the hack went down when two attackers compromised a private GitHub account of Uber software engineers and then used the login credentials to access data stored on an Amazon Web Services account that handled computing tasks for the company. There, they discovered a data archive of rider and driver information and used that information to blackmail Uber asking for money, reports Bloomberg.
When the incident took place, Uber was negotiating with the U.S. regulators investigating separate claims of privacy violations. Now the company says it was legally obligated to report the hack but failed to do so.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed,” said Khosrowshahi in his blog post.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
After the revelation of the incident by Uber, the United States, Australia, United Kingdom and Phillippines government said they are launching an investigation to get a better insight of the matter and take any further action. Uber can be subjected to substantial monetary damages if the concealment of the incident is intentional.
This isn’t the first time a company opens about a security breach after a long time. In fact, the security breach in Uber doesn’t even match up to the level of Yahoo, Equifax Inc, MySpace, Target Corp. But what’s more disturbing is that the company tried to hide about the incident through extreme measures.
What do you think about the Uber Security Breach? Drop your views in the comments!