Uber paid hackers to cover up breach

CEO says discovery of $135,000 payoff led to firing of two staff; stolen information includes details of Uber users

SPH Brightcove Video
UK regulator says Uber's secret US$100,000 (S$135,000) pay-off to hackers to cover up a huge breach of customer and driver data raises 'huge concerns'.
The Uber office in San Francisco. The company announced on Tuesday that it was the victim of a massive data hacking in October last year.
The Uber office in San Francisco. The company announced on Tuesday that it was the victim of a massive data hacking in October last year. PHOTO: NYTIMES

SAN FRANCISCO • Uber Technologies Inc paid hackers US$100,000 (S$135,000) to keep secret a massive breach last year that exposed the personal information of about 57 million accounts of the ride-service provider, the company said.

Discovery of the US company's cover-up resulted in the firing of two employees responsible for its response to the hack, said Mr Dara Khosrowshahi, who replaced co-founder Travis Kalanick as CEO in August.

"None of this should have happened, and I will not make excuses for it," Mr Khosrowshahi wrote in a blog post. The breach occurred in October last year, but Mr Khosrowshahi said he had only recently learnt of it.

The hack is another controversy for Uber on top of sexual harassment allegations, a lawsuit alleging trade secrets theft and multiple federal criminal probes that culminated in Mr Kalanick's ouster in June.

The stolen information included names, e-mail addresses and mobile phone numbers of Uber users around the world, and the names and licence numbers of 600,000 US drivers, Mr Khosrowshahi said.

Uber passengers need not worry as there was no evidence of fraud, while drivers whose licence numbers had been stolen would be offered free identity theft protection and credit monitoring, Uber said.

Two hackers gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on software code. There, the two people stole Uber's credentials for a separate cloud-services provider, where they were able to download driver and rider data, the company said.

  • 57m Number of accounts of Uber Technologies Inc in which personal information was exposed by a massive data breach last year.

    600,000 Number of US drivers whose names and licence numbers were among the stolen information.


  • • Yahoo: Three billion

    • Onliner Spambot: 711 million

    • Exploit.In: 593 million

    • Anti Public Combo List: 457 million

    • Adult friend finder: 412 million

    • River City Media Spam List: 393 million

    • MySpace: 359 million

    • NetEase: 234 million

    • LinkedIn: 164 million

    • Adobe: 152 million

    • eBay: 145 million

    • Badoo: 112 million

    • B2B USA Businesses: 105 million

    SOURCE: haveibeenpwned.com, media reports

A GitHub spokesman said the hack was not the result of a failure of GitHub's security.

"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Mr Khosrowshahi said.

"We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

Bloomberg News first reported the data breach on Tuesday.

Mr Khosrowshahi said Uber had begun notifying regulators. The New York attorney-general has opened an investigation, a spokesman said.

Regulators in Australia and the Philippines said yesterday they would look into the matter.

Uber said it had fired its chief security officer, Mr Joe Sullivan, and a deputy, Mr Craig Clark, this week because of their role in the handling of the incident.

Mr Sullivan, formerly the top security official at Facebook Inc and a federal prosecutor, served as both security chief and deputy general counsel for Uber.

Mr Kalanick learnt of the breach last November, a month after it took place, a source familiar with the matter told Reuters. At the time, the company was negotiating with the US Federal Trade Commission over the handling of consumer data.

A board committee had investigated the breach and concluded that neither Mr Kalanick nor Ms Salle Yoo, Uber's general counsel at the time, was involved in the cover-up, another person familiar with the issue said. The person did not say when the investigation took place.

Mr Kalanick, through a spokesman, declined to comment. The former CEO remains on the Uber board of directors.

In Singapore, an Uber spokesman said that recent reports of riders being charged for rides they did not take was not linked to last year's data breach.

"The incident in 2016 did not breach our corporate systems or infrastructure, and our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, NRIC or dates of birth were downloaded," he said.

Meanwhile, Singapore's Personal Data Protection Commission said it is in touch with Uber to get more details on the breach .


Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on November 23, 2017, with the headline Uber paid hackers to cover up breach. Subscribe