Ride-hailing service Uber Technologies revealed Tuesday that the company suffered a breach of 57 million Uber user accounts in 2016. According to reports, Uber then attempted to cover up the incident by paying $100,000 to attackers to keep the hack a secret and delete the data.
The breach and subsequent failure to properly disclose the incident also cost Uber’s chief security officer Joe Sullivan and one of his deputies their jobs.
On Tuesday Dara Khosrowshahi, Uber CEO, wrote the breach occurred in October 2016 and included names, email addresses and mobile phone numbers of 57 million Uber riders. Along with rider data, he said the names and driver’s license numbers of around 600,000 drivers in the US were also stolen.
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” Khosrowshahi said.
Uber said the breaches occurred before Khosrowshahi became CEO this past September. According to a report by Bloomberg, that first reported the news, Travis Kalanick, Uber’s co-founder and former CEO, was made aware of the hack a month after it occurred, in November 2016.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed,” Khosrowshahi said.
According to Khosrowshahi no trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were stolen.
Bloomberg reports that the two attackers gained access to the Uber data stored on Amazon Web Services accounts using Uber software engineer credentials found on GitHub.
“Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company,” Bloomberg reported.
Once the data was stolen, the attackers emailed Uber and demanded money.
This year has seen an epidemic of leaky AWS storage servers exposing data to the internet. Accenture, Verizon, Dow Jones and Deep Root Analytics have been caught leaking private user data to the public internet. In September, Equifax disclosed a data breach that affected upwards to 143 million Americans.
“Some of the questions that should be answered include: Why did engineers have access to 57 million records of personally identifiable information?” asked Terry Ray, CTO of security firm Imperva. “Did Uber security have any monitoring in place to alert them when such vast amounts of data were accessed? Controls to alert on suspicious data access do exist, but my guess is that they were not used, which is all too typical in today’s enterprises.”
Other security experts said Uber may have to face angry state and federal regulators as well as angry customers in weeks to come.
“While there’s no overarching federal regulations in place in the U.S., there’s a patchwork of state regulations that dictate when disclosures must be made – often it’s when a set number of users have been affected. No doubt Uber has surpassed this threshold and violated many of them by not disclosing the breach for over a year,” said Ken Spinner, VP of Field Engineering at Varonis.
Last year Uber was fined $20,000 by the New York attorney general for failing to disclose a 2014 breach. In August, Uber agreed to 20 years of privacy audits by the Federal Trade Commission to settle a data mishandling claim, without admitting wrongdoing. Part of that settlement was in response to the FTC claim that “Uber failed to live up to its promise to provide reasonable security for consumer data.”