Uber on Tuesday became the latest tech firm to acknowledge a major hack of its systems that spilled data from 50 million customers and some 7 million drivers, a breach the company paid $100,000 to keep quiet.
The ride hailing firm told Bloomberg hackers gleaned rider names, email addresses and phone numbers in a successful attack dating back to 2016. Personal information of drivers, including about 600,000 U.S. driver's license numbers, were included in the stolen data cache.
Uber notes that social security numbers, credit card details, trip location and other sensitive information was not stolen in the hack.
According to the report, a pair of hackers infiltrated a private GitHub site used by Uber software engineers to gain access to login credentials that were subsequently used to access an Uber-assigned Amazon Web Services account. The AWS database included an archive of rider and driver information, which the hackers leveraged to ransom the company.
Uber was obligated to inform authorities of the breach, and alert drivers whose license information was stolen, but the company instead chose to pay $100,000 to delete the data.
"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," said Uber CEO Dara Khosrowshahi. "We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."
Then-CEO Travis Kalanick, who was ousted from his company earlier this year, was informed of the cyberattack in November 2016, approximately one month after it took place. Leading the clandestine action to keep the hack under wraps was chief security officer Joe Sullivan, who was hired from Facebook in 2015 to take over the company's security operations.
Sullivan and his team were behind a number of questionable decisions this year and are at the center of a probe commissioned by Uber's board. The investigation unearthed today's reported hack and subsequent attempt to cover it up.
In light of the revelations, Uber this week fired Sullivan and Craig Clark, a senior lawyer reporting to Sullivan, for their role in concealing the cyberattack.
Uber has since hired cybersecurity firm Mandiant to investigate the intrusion, and has hired Matt Olsen, a former general counsel at the National Security Agency, to assist in restructuring the company's embattled security teams.