Ride-hailing company Uber concealed a data breach that affected the personal information of 57 million customers and drivers, the company admitted on Tuesday. Its chief security officer and one of his deputies have been fired. (more)
Dara Khosrowshahi, who took over as chief executive in August, said he recently became aware of the data breach, which occurred in October 2016 when the company was negotiating with U.S. regulators over an investigation into claims of privacy violations. Uber failed to report the breach.
"I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use," Khosrowshahi said in a statement. "The incident did not breach our corporate systems or infrastructure."
Khosrowshahi said those responsible were able to download some personal information - including names, email addresses and mobile phone numbers - of 57 million Uber users around the world. They also downloaded the names and driver's license numbers of around 600,000 drivers in the U.S.
After the breach was detected, the company identified those responsible and paid them $100,000 to delete the information and to keep the breach quiet, according to Bloomberg, which first reported the news. Uber said it believes the stolen data was never used.
Joe Sullivan, the company's chief of security who led the response to last year's data breach, was asked to resign after Khosrowshahi became aware of what happened, according to Bloomberg. Craig Clark, a senior lawyer who reported to Sullivan, has been fired.
It was not immediately disclosed who was responsible for the data breach or how it was carried out. There was also no immediate word on whether U.S. regulators will launch an investigation into what happened and the company's failure to report the incident.
"None of this should have happened, and I will not make excuses for it," Khosrowshahi said. "While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
The company said it will notify drivers affected by the breach and provide them with free credit monitoring and identity theft protection. It was not immediately clear whether it will also notify affected customers, but Uber said it will flag affected accounts for "additional fraud protection."
Published on November 21, 2017 - 5:50pm EST