Uber paid hackers $100,000 to delete stolen data about 57 million customers and drivers, in an attempted cover-up.
The ride-hailing firm confirmed last night that it had suffered a breach late last year and failed to notify victims or regulators.
“None of this should have happened, and I will not make excuses for it,” Uber chief executive Dara Khosrowshahi said in a statement.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
The stolen data included 57 million names, email addresses and mobile phone numbers. A total of 600,000 drivers’ names and licence details were exposed during the breach.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” Khosrowshahi added.
Two hackers gained access to Uber log-in credentials for the cloud platform AWS after accessing a private area of Github, a platform for developers, according to Bloomberg, which first reported the breach.
The embattled Silicon Valley firm has offered drivers free credit monitoring protection. Affected customers will not be offered the same service.
Uber’s chief security officer, Joe Sullivan, is one of two employees who have left the company in the wake of the response to the breach.
Rik Ferguson, vice president of security research at security firm Trend Micro, said Uber had failed in its responsibility to its drivers, regulators and customers.
“However certain those responsible may have been that their attackers had been silenced, digital theft does not work the same way as in the physical world, you can never “buy back the negatives” once data has been stolen,” he said.
“It is heartening to see the new management team come clean about the breach, but I remain concerned at some of the wording in Mr. Khosrowshahi’s blog. He appears to distance Uber’s “corporate systems and infrastructure” from the “third-party cloud-based service” that was the target of the breach.
“This is perhaps indicative of the root of the problem. Cloud services adopted by a business *are* corporate systems and infrastructure and from a security perspective should be treated as such.”
The cover-up marks just the latest in a long line of scandals to have recently engulfed the ride-hailing giant, whose founding CEO Travis Kalanick was forced to step down earlier this summer.
Transport for London announced in September that it would not renew the firm’s licence to operate in the capital. It said in a statement that Uber’s conduct demonstrated a lack of corporate responsibility.
Uber is currently appealing the decision.