Uber paid hackers $100,000 over massive data breach last year; CEO Khosrowshahi apologises

Uber paid hackers $100,000 over massive data breach last year; CEO Khosrowshahi apologises

Khosrowshahi said while he couldn't erase the past, he could commit on behalf of every Uber employee that they would learn from mistakes

There seems to be no end to troubles for the ride-service provider Uber. Latest in a series of faux pas, which include lawsuits, criminal proceedings, boycotts and an executive exodus, is a report that says Uber Technologies Inc paid hackers around $100,000 for not disclosing the details about 57 million accounts after a massive data breach last year. Uber plans to roll out new features, 'Request for Guest' that lets users book trips on behalf of someone, in India, and such reports emerging at a time when the company is trying to dominate the ride-sharing market is not a good news for it, say experts.

Though the incident reportedly happened last year when Uber co-founder Travis Kalanick was at the helm of affairs, new chief executive officer (CEO) Dara Khosrowshahi, who joined the company in August, fired two employees of the company responsible for its response to the hack. "None of this should have happened, and I will not make excuses for it," Khosrowshahi said in a blog post. The breach occurred in October 2016 but Khosrowshahi said he had only recently learned of it.

The hack is another controversy for Uber on top of sexual harassment allegations, a lawsuit alleging trade secrets theft and multiple federal criminal probes that culminated in Kalanick's ouster in June. The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and license numbers of 600,000 U.S. drivers, Khosrowshahi said.

Uber passengers need not worry as there was no evidence of fraud, while drivers whose license numbers had been stolen would be offered free identity theft protection and credit monitoring, Uber said. Two hackers gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on software code. There, the two people stole Uber's credentials for a separate cloud-services provider where they were able to download driver and rider data, the company said.

A GitHub spokeswoman said the hack was not the result of a failure of GitHub's security. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Khosrowshahi said. "We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers." Bloomberg News first reported the data breach on Tuesday. Khosrowshahi said Uber had begun notifying regulators. The New York attorney
general has opened an investigation, a spokeswoman said.

Regulators in Australia and the Philippines said on Wednesday they would look into the matter. Uber is seeking to mend fences in Asia after having run-ins with authorities, and is negotiating with a consortium led by Japan's SoftBank Group for fresh investment. SoftBank declined to comment.

Uber said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week because of their role in the handling of the incident. Sullivan, formerly the top security official at Facebook Inc and a federal prosecutor, served as both security chief and deputy general counsel for Uber. Sullivan declined to comment when reached by Reuters. Clark could not immediately be reached for comment.

Kalanick learned of the breach in November 2016, a month after it took place, a source familiar with the matter told Reuters. At the time, the company was negotiating with the U.S. Federal Trade Commission over the handling of consumer data. A board committee had investigated the breach and concluded that neither Kalanick nor Salle Yoo, Uber's general counsel at the time, were involved in the cover-up, another person familiar with the issue said. The person did not say when the investigation took place.

With Reuters inputs