Uber publicly admitted on Nov. 21 that it was the victim of a massive data breach that exposed personally identifiable information on 56 million users and 600,000 drivers.
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” Uber CEO Dara Khosrowshahi wrote in a statement. “The incident did not breach our corporate systems or infrastructure.”
Among the information that were stolen were names, email addresses and mobile phone numbers of Uber users. The names and license numbers of approximately 600,000 Uber drivers in the United States were also stolen. Khosrowshahi noted that there is no indication that credit card numbers, Social Security numbers or dates of birth information was stolen in the data breach.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” he stated. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
According to a Bloomberg report, Uber paid $100,000 to the two hackers to delete the data and keep the matter quiet. Uber did not publicly report the breach in 2016, nor did it alert the regulatory authorities. The decision to pay off the hackers and not disclose the attack was allegedly made by Uber Chief Security Officer Joe Sullivan, who has been fired by Uber.
Although data was stolen, Khosrowshahi emphasized that no fraud or misuse of the data has occurred due to the 2016 breach.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” he said.
According to Bloomberg, Uber’s co-founder and then CEO Travis Kalanick was notified of the incident months after it occurred in 2016. Khosrowshahi was named CEO of Uber in August 2017, after Kalanick was forced out by Uber’s board of directors.
The hack was allegedly conducted by the attackers who were able to find login credentials in an Uber repository on GitHub that enabled access to an Uber Amazon Web Services account. In the wake of the breach, Khosrowshahi said Uber has implemented security measures to restrict access to and strengthen controls on its cloud-based storage accounts.
Coincidentally, Uber launched a bug bounty program on the HackerOne platform in March 2016, paying security researchers to responsibly disclose vulnerabilities to the ride-sharing company. In July 2016, Uber revealed that it had paid a security researcher $10,000 for a high-impact flaw that could have enabled an attacker to take over an Uber user’s account.
As of Nov. 22, the HackerOne Uber bug bounty page reports that the company has paid $1.3 million in bug bounties since March 2016 for relevant security reports. Among the in-scope vulnerabilities that the bug bounty program pays for are AWS credential exposure reports. It’s currently not clear if the details behind the 2016 attack were ever communicated to Uber via its bug bounty program.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.