Uber has confirmed that in October 2016 hackers gained access to the licence numbers of 600,000 of its US drivers and the personal information of 57 million Uber users from around the world.
The company’s chief executive, Dara Khosrowshahi, said the data included passengers’ names, email addresses and mobile phone numbers.
Khosrowshahi joined the company in August, replacing Uber founder Travis Kalanick as CEO.
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” Khosrowshahi said in a statement.
“The incident did not breach our corporate systems or infrastructure.”
Bloomberg, which broke the story, reported that attackers had obtained credentials from a private Uber GitHub repository, which they used to access data stored on Amazon Web Service’s cloud. Uber kept the breach quiet and paid the hackers US$100,000 to delete the data, Bloomberg reported.
The newswire said that Uber chief security officer Joe Sullivan spearheaded the response to the breach and has now been ousted as a result. Uber confirmed that at least two executives have left the company over the handling of the breach.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said.
“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
The CEO said that after learning details of the breach, including the failure to notify the affected individuals and privacy regulators, he has ordered a “thorough investigation” into the company’s response.
The company is notifying regulatory authorities, it said.
Uber said it had seen “no evidence of fraud or misuse tied to the incident”.
Australian Information and Privacy Commissioner Timothy Pilgrim confirmed that his office has commenced inquiries with Uber.
“Incidents such as this are a timely reminder to Australians of the value of the personal information we provide in order to receive products and services,” Pilgrim said.
“As always, I encourage Australians to read privacy notices and ensure they are fully informed about what information is being exchanged in order to get the service, product or app they seek.”
“It is also a timely reminder to Australian businesses and agencies of the reputational value of good privacy practice, and the reputational risks that can follow mishandling of personal data,” he added.
In February 2018, Australia’s new data breach notification scheme comes into effect.