Uber Discloses Year-Old AWS Data Breach, Exposing Millions of Users
On Tuesday, ride-sharing app Uber disclosed that its Amazon Web Services (AWS) account was hacked last year, compromising the personal information of 57 million users worldwide, including 600,000 U.S. drivers.
Uber CEO Dara Khosrowshahi, who came into his post just this past August, said in a statement that he only learned of the hack "recently," even though it happened in "late 2016" under the watch of his predecessor, Travis Kalanick. Kalanick resigned as Uber's CEO in June.
In his statement, Khosrowshahi said the hack involved "two individuals outside the company [who] had inappropriately accessed user data stored on a third-party cloud-based service that we use."
A Bloomberg report gave more details about what the attack entailed: The hackers gained access to Uber's private GitHub repository, where they nicked the company's AWS account credentials. The hackers then logged into Uber's AWS account and downloaded files that included the personally identifiable data of millions of the app's users, including names, e-mail addresses, phone numbers and driver's license numbers.
Users' Social Security numbers and credit card numbers do not appear to have been compromised, however.
"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," Khosrowshahi said. "We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."
According to Bloomberg, Uber also paid the hackers $100,000 to keep their silence about the breach. The company also admits it purposely did not disclose the hack to the appropriate regulators, as it is legally required to do, nor to the affected users and drivers until this week.
"Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet," Bloomberg reported, adding that Uber's head of cybersecurity at the time, Joe Sullivan, has now been ousted from the company for his response to the hack.
In his statement, Khosrowshahi indicated that Uber is taking steps to improve its security processes. It is also giving affected drivers credit card and identity protection services at no cost, as well as monitoring the compromised accounts.