Personal data of over 50 million riders and 7 million drivers of the taxi-alternative service Uber was hacked in 2016, but the rideshare company reportedly paid the hackers $100,000 to delete the stolen goods, in order to keep the breach under wraps.
In an effort to be “honest and transparent,” Uber Technologies Inc. CEO Dara Khosrowshahi confirmed Tuesday that a security data breach occurred in late 2016, before he had taken over as chief executive officer.
Uber paid two hackers $100,000 to delete the names, email addresses, cell phone numbers and approximately 600,000 driver’s license numbers, according to Bloomberg. Uber’s chief security officer Joe Sullivan and an underling were fired this week for their involvement in the October 2016 incident, Bloomberg reported.
“You may be asking why we are just talking about this now, a year later,” Khosrowshahi wrote. “I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.”
The company has offered affected riders and drivers separate resource pages. Drivers will receive free credit monitoring and identity theft protection. The company said that credit card, bank account and Social Security numbers, as well as birth dates and location histories were not compromised.
Uber had been under a US regulations investigation concerning privacy violation claims when the hack took place, according to Bloomberg. The company did not contact the drivers who had their driver’s license numbers stolen, as legally obligated, but instead paid hackers $100,000 in hopes the problem would go away.
The two hackers gained access to an Amazon Web Services Account, which held an archive of tens of millions of people’s data, after finding login credentials on a private GitHub coding site used by Uber software engineers, according to Bloomberg.