In an October 2016 attack, hackers extracted names, email addresses, and phone numbers of 50 million Uber riders (details), as well as personal information about 7 million drivers (including 600,000 US drivers license numbers). Details from Uber. A subsequent FTC investigation found that more than 25 million names and email addresses, and more than 22 million names and phone numbers, were affected.
Uber did not tell the public about the hack or alert the affected drivers or passengers. Nor did Uber tell regulators, although at the same time Uber was negotiating with the US FTC about other claims of privacy violations. As of November 2017, when the attack was publicly revealed, Uber admitted that it was required to disclose the hack because driver’s license information was among the information taken.
Instead of disclosing the hack to regulators or the public, Uber paid the hackers $100,000 to delete the data and not tell anyone what had happened. The New York Times reported that Uber also pushed the hackers to sign nondisclosure agreements, and that the company “made it appear” as if the $100,000 payout had been part of a “bug bounty” program (paying hackers to find problems) rather than a response to hackers’ demands.
Uber then-CEO Travis Kalanick learned of the breach in November 2016, a month after it took place. Reuters indicated that new CEO Dara Khosrowshahi indicated only having learned about the problem “recently.”
Uber Chief Security officer Joe Sullivan oversaw Uber’s response to the hack. As part of Uber’s 2017 investigation of the situation, new CEO Dara Khosrowshahi fired Sullivan along with Craig Clark, who had been legal director of security and law enforcement (reporting to Sullivan).
Upon learning of Uber’s failure to disclose the privacy breach, multiple regulators criticized the company’s action and opened investigations.
In a December follow-up, Reuters reported that the hacker was a 20-year-old man from Florida.
