Listen to this article
This is an experimental feature. Give us your feedback. Thank you for your feedback.
What do you think?
Uber failed to tell its users or regulators about a massive data breach that included the names, email addresses and phone numbers of some 57m passengers and drivers, the car-booking company admitted on Tuesday.
Revealing the breach for the first time, Uber said that it had asked for the resignation of Joe Sullivan, its chief security officer, a former federal prosecutor and previously head of security at Facebook, who was one of the most senior executives at the company.
Uber realised that its user information had been hacked in December 2016 but, instead of notifying regulators or the people affected, it paid $100,000 to the hackers to get them to destroy the stolen information, the company said.
Dara Khosrowshahi, chief executive, who took the helm at Uber in September, issued an apology and said he had started an investigation into the breach as soon as he learnt about it.
The news comes at a sensitive time for the company, as it works to finalise an investment deal from a SoftBank-led consortium that could be worth up to $10bn and to move on from a string of self-inflicted governance crises.
“None of this should have happened, and I will not make excuses for it,” Mr Khosrowshahi wrote in a statement. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business,” he wrote.
The personal details of some 7m drivers — including driver’s licence numbers for some 600,000 US drivers — were affected by the breach, along with account details from about 50m passengers.
Uber said it had informed regulators around the world of the breach on Tuesday, as well as individually contacting the US drivers whose licence numbers had been taken. The company has not seen unusual activity on the accounts that were affected, according to a person familiar with the investigation.
Although the data breach did not include information such as credit card numbers or trip histories, the fact that it was not disclosed sooner and that the hackers were paid off could present a legal headache for the company.
Mr Khosrowshahi’s decision to publicly announce the data breach — during a holiday week as the US celebrates Thanksgiving — represents an effort by him to get skeletons out of the closet during the first months of his tenure.
One of his big recent hires was a new chief legal officer, Tony West, whose first day at Uber will be on Wednesday. The company has also engaged Matt Olsen, a cyber security expert, a former general counsel of the US National Security Agency, to advise on a restructuring of its security team following the revelations around the data breach.
Uber is already facing several federal legal probes in the US, and will go to trial next month in a lawsuit in which it is accused of stealing trade secrets related to self-driving car sensors, an accusation that Uber denies.