It was revealed Tuesday that in October 2016, hackers stole the Uber data of 50 million users and 7 million drivers. The compromised information included names, phone numbers, email addresses and 600,000 U.S. drivers licenses, according to the company. Uber has declined to comment on which users were effected or give specific regional numbers beyond the number of American drivers licenses in the hack.
CEO Dara Khosrowshahi assured in a statement that the information obtained by the hackers did not include (to their knowledge) trip location history, credit card numbers, bank account numbers, Social Security numbers or the dates of birth of their customers.
It has been widely reported — though the company has not confirmed — that Uber paid out $100,000 to the hackers to delete the data and stay quiet about the breach. They did say in a statement that they had “obtained assurances that the downloaded data had been destroyed.”
Khosrowshahi asserts he had no knowledge of the breach and that he took steps to find out how and why no one was informed either within the company or publicly of the hack. Uber chief security officer Joe Sullivan and deputy Craig Clark were both asked to resign for their efforts to cover up the breach. Drivers whose information was compromised were notified and will be receiving free credit monitoring and identity theft protection from the company.
The breach was orchestrated only a few months after Uber moved some data from company servers to a third-party cloud-based service provider. It was from this third-party cloud that the information was stolen, not directly from the Uber servers. The company is consulting with a former NSA advisor and the current director of the National Counterterrorism Center to create a better security plan.
This latest issue is just one of many Uber has faced since its inception and it could carry legal consequences. Agencies in both the U.S. and U.K. are investigating the company for its concealment of the breach for over a year. Both countries have legislation that requires companies to promptly notify consumers when their data has been compromised. Canada does not have laws that address these types of breaches, but in an email to The Huffinton Post, NDP public safety critic Matthew Dube said we should probably get on passing some.