Uber silenced a major data breach and would have paid the hackers

Taxi service Uber paid hackers $100,000 in 2016 to cover up an attack in which data from 57 million Uber accounts was stolen. That is according to Bloomberg news agency. Uber confirmed that there was a hack in 2016, which it did not report at the time.

Uber has since responded through director Dara Khosrowshahi. He confirmed in a blog post that Uber was hit by an attack in 2016 in which the hackers stole the names, email addresses and cell phone numbers of 57 million users. Also, the names and driver license numbers of 600,000 drivers in the US were downloaded. The hackers obtained the data through a coding website on GitHub, which was used by Uber engineers. The hackers were able to access the data on an Amazon Web Services account via login details.

Khosrowshahi also indicated that Uber did not make the incident public at the time, but he neither confirmed nor denied part of Bloomberg’s message that the hackers had been paid to cover up the data theft. According to the director, steps were immediately taken after the hack to close unauthorized access to the data, whereby the two hackers were identified. Uber allegedly obtained assurances from them that the stolen data would be destroyed, but Khosrowshahi gave no further details about this apparent agreement with the hackers. According to Bloomberg, Uber said the hackers asked the taxi company to transfer money.

The director also says that he only recently learned about the fact that in 2016 two people had access to a server containing the data. Khosrowshahi says he immediately requested a thorough investigation into how Uber acted and what exactly happened. He admits that Uber did not inform the authorities or the affected individuals about the hack at the time. The company is still doing that. Khosrowshahi apologizes for the entire incident. According to Bloomberg, Uber has fired its chief security officer, Joe Sullivan. He declined to comment to Reuters.