The launch of ride-sharing company Uber was so disruptive to the transportation-for-hire industry, that for years, whenever anyone wanted to claim that their idea for an app or startup was revolutionary, they touted it as “It’s like Uber, but for [new thing]!”
“It’s like Uber, but for pizza delivery!” “It’s like Uber, but for mortgage loans!” “It’s like Uber, but for breeding alpacas!”
“It’s like Uber, but for identity theft!”
Wait a second. That last one doesn’t sound right.
Uber, the company that pioneered delivering a stranger to your doorstep within minutes to drive you around town, has now achieved a revolutionary level of delivering a knife to their own clients’ backs.
As Bloomberg reported late Tuesday afternoon, hackers stole the personal data of 57 million of Uber’s customers and drivers, and the company concealed it for more than a year.
57 million is a lot of people. It’s almost as many people as the entire population of both California and Florida.
The compromised data, which was accessed when the hackers were able to gain access to cloud-based data storage used by Uber software engineers, included a lot of personal information:
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers were accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card details, trip location info or other data were taken, Uber said.
But wait, it gets even better!
Instead of reporting the massive data breach to U.S. regulators (who were already investigating the company for prior privacy breaches, natch) or — here’s a wild idea! — to their own customers and drivers (who might have appreciated the heads up to secure their accounts), Uber paid hackers $100,000 to delete the data and conceal the data breach.
Uber told Bloomberg that “it believes the information was never used but declined to disclose the identities of the attackers.”
Uber’s chief security officer, Joe Sullivan, did lose his job over this mess, along with one of his deputies, but the fact remains that millions of people’s private information was compromised and the company tried to sweep it all under the rug.
Dara Khosrowshahi, who just took over as CEO in September after his predecessor was ousted, posted a statement detailing the breach and offering to provide free credit protection monitoring and identity theft protection for those whose data was compromised.
That’s unlikely to get Uber out of hot water. Failure to promptly report a data breach of this type of personal information violates several state and federal laws, and the company was already fined in January 2016 for failure to report a prior data breach in 2014.
As the Bloomberg article notes, Uber was negotiating the settlement for that 2014 breach with the FTC around the same time they were negotiating with the hackers to help them cover up the 2016 breach, which of course they didn’t disclose to the FTC then.
Whether the government will drop the hammer on Uber for this repeated violation remains to be seen. The FTC settled the 2014 breach for a mere $20,000 and no admission of wrongdoing by Uber.
As the Dallas Morning News Editorial Board observed, these kind of data breaches are becoming all too common. Uber’s hackers might have been amenable to being bought off but that’s little assurance that the next big data breach won’t be by someone with far more nefarious ambitions.
Follow Sarah Rumpf on Twitter: @rumpfshaker.