Uber disclosed Nov. 21 that hackers had stolen 57 million driver and rider accounts and that the company had kept the data breach secret for more than a year after paying a $100,000 ransom.
The deal was arranged by the company’s chief security officer and under the watch of the former chief executive, Travis Kalanick, according to several current and former employees who spoke on the condition of anonymity because the details were private.
The security officer, Joe Sullivan, has been fired. Mr. Kalanick was forced out in June, although he remains on Uber’s board.
The two hackers stole data about the company’s riders and drivers—including phone numbers, email addresses, and names—from a third-party server and then approached Uber and demanded $100,000 to delete their copy of the data, the employees said.
Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty”—a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.
The details of the attack remained hidden until Nov. 21. The ride-hailing company said it had discovered the breach as part of a board investigation into Uber’s business practices.
The breach at Uber is far from the most serious exposure of sensitive customer information. The two breaches that Yahoo announced in 2016 eclipse Uber’s in size, and an attack disclosed in September by Equifax, the consumer credit reporting agency, exposed a far deeper trove of personal information for a far larger group of people.
But the handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws. The New York attorney general’s office said on Nov. 21 that it had opened an investigation into the matter.
The company’s decision to conceal the breach and pay the ransom quickly raised questions among security experts. Many have repeatedly warned companies against paying hackers a ransom to cover up breaches or return stolen data, advice that was included in a 2016 statement from the F.B.I. And several states including California have laws mandating that companies disclose when they are breached by hackers.
Uber has experienced breaches before. The company was hit with a data breach in May 2014, an event Uber discovered later that year and disclosed in February 2015. In that attack, the names and driver’s licenses of more than 50,000 of the company’s drivers were compromised.
This latest breach puts Uber in another difficult situation just as the company is working to repair its battered image and preparing to seek an initial public offering in 2019.
Uber has hired Matt Olsen, former general counsel at the National Security Agency, as an adviser, and has retained Mandiant, a security firm, to conduct an independent investigation of the security breach. Uber said Mr. Olsen planned to reorganize the company’s security team.
But the damage has already been done, and Uber officials are aware of the long road back to good standing with the public.
While it is not illegal to pay money to hackers, Uber may have violated several laws in its interaction with them.
