Uber Data On 57 Million People Stolen In Massive Hack

Nov 21, 2017
Originally published on November 22, 2017 2:25 pm

The ride-hailing service Uber revealed that the personal information of 57 million people — both customers and drivers — was hacked last year and that the company kept the massive theft secret for more than a year.

Uber also paid the hackers $100,000 to delete the stolen data and stay silent about it.

The hack, first reported by Bloomberg, was confirmed in a blog post by Uber CEO Dara Khosrowshahi. He said that in 2016, the hackers obtained the names, email addresses and mobile phone numbers of 57 million Uber users. The driver's licenses of about 600,000 Uber drivers in the U.S. also were stolen.

Khosrowshahi said the company's outside forensics experts see no evidence that the hackers got access to Uber users' trip location history, credit card numbers, bank accounts, Social Security numbers or dates of birth.

The CEO said he had "recently learned" of the massive hack, but he wasn't more specific about what he knew and when.

A source close to the company confirmed to NPR that Uber officials paid hackers $100,000 to delete the data and keep the breach secret. The source also said chief security officer Joe Sullivan and one of his lieutenants were terminated this week.

However, Uber declined to confirm how it knew that the data was, in fact, deleted by the hackers.

As NPR's Aarti Shahani reported on All Things Considered, Sullivan was the apparent mastermind of the cover-up.

"He's a former federal prosecutor — a former public servant — and he had an interesting approach to his job. For example, he felt it was OK for Uber to start using the sensors on drivers' smartphones to track how they drive, how they perform on the job — even though many drivers were not aware of this practice and didn't like it. Turns out he didn't feel an obligation to disclose to them their data was taken either."

In his post, Khosrowshahi said that Uber is contacting all of the drivers whose driver's license numbers were downloaded and providing them with free credit monitoring and identity theft protection.

He also concluded with a contrite tone:

"None of this should have happened, and I will not make excuses for it. While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

Copyright 2017 NPR. To see more, visit http://www.npr.org/.