The company would not comment or disclose details of measures it is currently taking to ensure the integrity of its systems and security of drivers or riders in Africa. Bloomberg reported that Uber not only kept the security breach secret from the victims, but also paid the hackers US$100,000 to “delete the data [and] keep quiet.
“Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world…The personal information of about 7 million drivers was accessed as well, including some 600,000 US driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken” reads Bloomberg’s quote on Uber.
“Apparently, Uber’s security chief, Joe Sullivan, lured to Uber from Facebook in 2015, has been sacked in the fallout,” notes IT security company Sophos in a blog.
Uber CEO, Dara Khosrowshahi published a blog post yesterday stating; “As Uber’s CEO, it’s my job to set our course for the future, which begins with building a company that every Uber employee, partner, and customer can be proud of. For that to happen, we have to be honest and transparent as we work to repair our past mistakes.”
Khosrowshahi says the incident did not breach the company’s corporate systems or infrastructure. “I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use.”
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded. However, the individuals were able to download files containing a significant amount of other information.”
Khosrowshahi adds that the company, at the time of the incident, took immediate steps to secure the data and shut down further unauthorised access by the individuals.
James Lyne, Sophos cybersecurity advisor is quoted as saying, “Not notifying consumers puts them at greater risk of being victimised with fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.”
“For Uber customers and drivers, Sophos advises that they monitor their credit scores and keep their eyes peeled for additional information on what was stolen.”