Join our Waitlist for Expert Advice!

Uber Got Hacked a Year Ago and Paid the Hackers to Keep It Secret Uber reportedly paid the hackers $100,000 to delete the stolen data and keep quiet about it.

By Michael Kan

This story originally appeared on PCMag

via PC Mag

Uber is only now going public about an October 2016 data breach that affected the data of Uber drivers as well as 57 million users, exposing their names, email addresses and mobile phone numbers.

Uber's new CEO Dara Khosrowshahi said Tuesday that he only recently learned about the incident, which Uber discovered in November 2016.

"You may be asking why we are just talking about this now, a year later," wrote Khosrowshahi, who was hired in August. "I had the same question, so I immediately asked for a thorough investigation."

Uber found that "two individuals outside the company" accessed user data -- including the names and driver's license numbers of 600,000 drivers in the U.S. -- via a third-party cloud service.

"We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed," Uber's CEO wrote.

According to Bloomberg, Uber paid the hackers $100,000 to delete the data and stay quiet.

No trip location history, credit card numbers or other sensitive data like Social Security numbers were downloaded by the hackers, Khosrowshahi said. Uber is now notifying drivers affected by the breach and monitoring affected user accounts with additional fraud protection. So far, Uber has found no evidence of fraud or misuse related to the breach.

However, it's unclear why Uber didn't alert regulatory authorities. Most states, including California, have laws that demand companies disclose data breaches when they affect local residents' personal information.

"None of this should have happened, and I will not make excuses for it," according to Khosrowshahi, who fired the two people who led the company's response to the breach. That includes Uber's chief security officer Joe Sullivan, Bloomberg says.

"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Khosrowshahi said.

Uber did not immediately respond to a request for comment.

Why paying hackers can be problematic

The company's decision to reportedly pay off the hackers is raising a lot of questions.

Did the hackers really delete the stolen data? Why is Uber so confident that the hackers kept their word?

"You are basically relying on the integrity of a criminal group," said security expert Vincent Weafer, vice president of McAfee Labs.

Uber's statement on Tuesday oddly indicates the company actually knows the hackers' identities. But that same statement doesn't mention anything about Uber contacting the FBI to arrest the hackers.

"It's a very unusual case," said Weafer, who pointed out that hackers can't be trusted.

For instance, many businesses are experiencing ransomware attacks from cybercrminals. These attacks will hold computer systems hostage, and demand the victims pay a ransom to free them.

However, hackers have no obligation to release the computers when paid, and can often leave the computers infected, Weafer said.

"When people have paid the money, you still never know for sure if the breach has been contained or any information has been leaked," he added. "In this case, we still don't know enough."

News of the breach is stirring up plenty of debate among security experts over Uber's handling of the situation.

Why Uber decided to keep the data breach secret is another key question. Under its previous CEO, Travis Kalanick, the company gained a nasty reputation for breaking the rules, and avoiding the authorities.

The company's new CEO, Khosrowshahi, is working to repair that reputation and making Uber more transparent. In response to the breach, he's hired a former general counsel for the U.S. National Security Agency to help Uber improve its security teams.

Michael Kan

Reporter

Michael has been a PCMag reporter since October 2017. He previously covered tech news in China from 2010 to 2015, before moving to San Francisco to write about cybersecurity.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Side Hustle

This 79-Year-Old Retiree's Side Hustle Earns $4,000 a Month: 'I Work as Much or as Little as I Desire'

Dan Weiss saw an article about a side hustle in the local newspaper — then decided to try it himself.

Starting a Business

She Started a Business With $300 After Getting Laid Off. It Made $300,000 in Year 1 and Became a Multimillion-Dollar Company.

Bobbie Racette wanted to revamp the virtual assistance space — and provide job opportunities for underrepresented communities at the same time.

Science & Technology

These Are the 9 Dead Giveaways That AI Wrote This Story

How to spot a bot behind the content you read—everytime.

Money & Finance

These 3 Money Mistakes Derailed My Financial Stability as a Latina Entrepreneur — Here's How You Can Avoid Them

These are common hurdles for Hispanic entrepreneurs, but with the right strategies, you can overcome them and achieve lasting financial stability while staying true to who you are. Here's how to avoid the three biggest mistakes that could be holding you back.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.