Uber hacked, data for 57 million people exposed
Hackers have stolen personal data for 57 million Uber customers and drivers, the ride-hailing company said Tuesday.
The stolen information includes names, home addresses, mobile phone numbers and emails of 50 million people who have used Uber around the world. The breach also exposed the driver's licenses and other information for roughly 7 million drivers for the company, including 600,000 in the U.S.
No Social Security numbers, credit card numbers, bank account numbers, birth dates or trip location data were taken, Uber said, adding that it hasn't seen evidence of fraud related to the breach. The company said it is monitoring affected accounts for signs of misuse.
"We do not believe any individual rider needs to take any action," Uber said, while encouraging users of the service to monitor their credit and accounts.
Bloomberg first reported news of the hack, which took place in October of 2016. Nothing malicious has happened partly because Uber paid the hackers $100,000 to destroy the stolen information, CBS News has confirmed.
The New York State Attorney General has opened an investigation into the hack, as has the attorney general for Massachusetts.
"None of this should have happened, and I will not make excuses for it," Dara Khosrowshahi, who Uber named as CEO in September, said in a statement. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
In a statement, Khosrowshahi acknowledged that Uber had failed to inform Uber users that their data been stolen in a timely manner, saying he has recently initiated an investigation of the incident and of how Uber handled it.
The executive said he "recently" learned that Uber in late 2016 discovered that two individuals outside the company accessed user data housed on third-party internet cloud services. The hack didn't penetrate Uber's corporate systems or infrastructure, he said.
"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," Khosrowshahi said. "We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed."
But a source familiar with the incident and with Uber's initial investigation told CBS News' Andres Triay that the company paid the hackers who stole the data $100,000 to delete it. It is not known whether that occurred. Uber also did not report the breach to law enforcement at the time.
Khosrowshahi said two Uber employees who led the company's response to the cyberattack have left the company, effective Tuesday.
Bloomberg reported that Uber Chief Security Officer Joseph Sullivan and one of his deputies had been ousted in connection with the breach.
Uber said it also tightened security for its cloud-based storage systems, according to the company.
The company said it will individually notify drivers for the company whose license numbers were stolen and also provide them with free credit-monitoring and identity theft protection.
