In a statement, Uber CEO Dara Khosrowshahi admitted that hackers accessed and downloaded the personal information of more than 57 million Uber riders and drivers in October 2016. According to Mr. Khosrowshahi, two individuals were able to access user data from a third-party cloud-based service to access personal information that included (i) the names and driver's license numbers of drivers and (ii) the names, email addresses and phone numbers of riders.
Mr. Khosrowshahi claimed that Uber took "immediate steps" to protect data in the wake of the breach, and enacted measures designed to bolster the cybersecurity protections of data that are maintained through cloud-based storage services. He further represented that Uber is notifying authorities of the breach, monitoring compromised accounts for fraudulent activity, notifying drivers who were affected by the breach, and conducting a review of the Uber cybersecurity framework.
According to a report from Bloomberg, Uber paid the hackers $100,000 to delete the compromised data and took measures to "keep the breach quiet." Hackers allegedly accessed the information, which was stored through Amazon Web Services, and leveraged it in order to obtain a payout from Uber. Uber failed to make any governmental disclosures for over a year.
Commentary / Kyle DeYoung
Uber's announcement will certainly attract scrutiny from its regulators. It will be interesting to follow how they address the timing of Uber's disclosure, as well as the decisions it made along the way to address the breach.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
