The breach included the names, email addresses and mobile phone numbers related to accounts of people around the world, the company said. About 600,000 Uber drivers also had their names and driver’s license numbers stolen. More sensitive information, including trip location history, credit card numbers, bank account numbers, Social Security numbers and dates of birth, was not accessed.
More troubling than the hack itself: Instead of disclosing the breach to the affected customers and proper government authorities, Uber decided to pay the unnamed hackers to keep quiet.
That was likely the decision of chief security officer Joe Sullivan, a former federal prosecutor Uber hired from Facebook. Sullivan and an additional team member were fired this week.
Most states have laws requiring that companies notify consumers who are affected by a data breach. Although not all require customers to be notified in a specific timeframe, many mandate that it happen as soon as possible. For example, in California, where Uber is based, the disclosure must happen in “the most expedient time possible and without unreasonable delay.”
There’s currently no evidence that the leaked data has been used for nefarious purposes, Uber told customers Tuesday.
“We do not believe any individual rider needs to take any action,” the company said in a statement. “We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection.”
Uber CEO Dara Khosrowshahi, who joined the company in September, addressed the breach in a blog Tuesday.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi wrote. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
“We have to be honest and transparent as we work to repair our past mistakes,” he said.
Khosrowshahi said the company is providing affected drivers with free credit monitoring and identity theft protection.