Uber paid hackers $100,000 after they had stolen data from 57 million users
The startup did not disclose the attack until Tuesday, adding a potential cover up to a list of recent corporate controversies.
Uber said that two people outside the company accessed the personal information of 57 million Uber users in late 2016, including names, email addresses and phone numbers. The license numbers of around 600,000 drivers in the United States were included in the breach.
The company did not alert victims or regulators of the breach when it was first discovered.
If U.K. citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed, said James Dipple-Johnstone of the U.K. Information Commissioner's Office.
Khosrowshahi, who became CEO in August, said he launched an investigation into why the company did not alert authorities or affected individuals. Two of the individuals who led the response to this incident are no longer with the company. Khosrowshahi said the company is now notifying regulatory authorities.
At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals, Khosrowshahi said in the statement.
We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.
Uber did not say how hackers assured the company the stolen data was destroyed, but it did confirm that $100,000 was paid to the hackers. According to the company, no location history, credit card numbers, Social Security numbers, or dates of birth were downloaded in the hack. Uber said it is providing free credit monitoring to drivers who had their license numbers exposed.
The company has been embroiled in a number of controversies, including using software called Greyball to evade regulators, a court battle over allegedly stolen secrets from Google's self-driving car division, and a slew of complaints regarding sexual harassment and toxic company culture. This week, the company was fined almost $9 million for background check issues in Colorado. Khosrowshahi said things will be different moving forward.