Email addresses for 57 million people were among the personal data points exposed in a 2016 theft of Uber data that the transportation company revealed on Tuesday.
Uber CEO Dara Khosrowshahi said in a statement: “I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.”
The theft did not include location history, credit card numbers, dates of birth or Social Security numbers, Khosrowshahi said. However, he acknowledged that the thieves were able to download:
Personal information, including email addresses and mobile phone numbers, on 57
million Uber users worldwide
Names and driver’s license numbers on 600,000 drivers in the United States
Khosrowshahi added that the company took steps to secure the data “and shut down further unauthorized access by the individuals” a the time of the incident.
He continued: “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."
But news reports state that Uber paid U.S. $100,000 to the hackers. And questions have arisen over the timing of this revelation.
“You may be asking why we are just talking about this now, a year later,” Khosrowshahi said. “I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it."
He added: “What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions.”
These include notification of drivers and regulatory authorities and the firing of two individuals who “led response to the incident.”
Media reports say that chief security officer Joe Sullivan is out.
Khosrowshahi said he also asked Matt Olsen, former general counsel of the National Security Agency and director of the National Counterterroism Center, to help him restructure Uber’s security teams.
Affected drivers are being provided with free credit monitoring and identity theft protection.
Khosrowshahi claimed that the firm has not seen evidence of fraud or misuse tied to the incident.”
Handling of the incident would likely be regarded as a serious breach under the General Data Protection Regulation (GDPR), which takes effect next May.