After a thorough investigation ordered by its new CEO Dara Khosrowshahi, Uber has revealed that it paid cyber criminals to keep the details of a data breach that the company suffered in 2016 from coming to light.
In October of last year, two attackers were able to access a private GitHub, used by the ride-sharing companies' engineers, from which they obtained login credentials for an Amazon Web Services (AWS) account used by Uber.
After searching through the files stored on the account, the cyber criminals discovered a large archive containing the personal data of 57 million users and drivers. The driver's license numbers of 600,000 US drivers were acquired in the breach as well as the personal information of seven million drivers. However, no social security numbers, credit card details, trip information or other data was exposed in the hack.
Uber had a legal obligation to report the breach to regulators and to the drivers whose information was leaked but the company instead decided to pay the hackers responsible for the breach $100,000 to delete the data and keep the details of the hack under wraps.
In a recent blog post, the company's current CEO Dara Khosrowshahi offered more details concerning the breach and apologized for the way the matter was handled, saying:
“Two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. None of this should have happened, and I will not make excuses for it. While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Image Credit: Melies The Bunny Follow / Flickr