Uber Discloses Data Breach, Kept Secret for a Year, Affecting 57 Million Accounts

SAN FRANCISCO — Uber on Tuesday disclosed it was the victim of a data breach last October that affected 57 million driver and rider accounts and that it fired its chief security officer, Joe Sullivan, for keeping the breach a secret for more than a year.

The ride-hailing company said information on driver and rider names, emails and telephone numbers had been compromised by the attack. After the breach, two hackers approached Uber demanding payment for the stolen data and proof of the deletion of the data. Uber did not make the breach public and instead paid the hackers $100,000 to ensure the stolen data was expunged.

The issue came to light in recent months after an investigation by Uber’s board into the company’s past, in which board members looked at several internal practices. Dara Khosrowshahi, who was chosen to be the chief executive in late August, said he only recently learned of the incident and decided to take action.

“None of this should have happened, and I will not make excuses for it,” Mr. Khosrowshahi said in a company blog post. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

The revelation of the breach and the way it was kept quiet raises more questions about the tenure of Travis Kalanick, Uber’s co-founder who was chief executive at the time of the breach.

Mr. Kalanick began 2017 on a high note as chief executive of the most valuable privately held start-up in the world, but that rapidly fell apart after Uber came under scrutiny for its workplace culture. The New York Times also reported on a secret program called Greyball that had been undertaken under Mr. Kalanick’s watch, in which Uber staff members surveilled some law enforcement in order to evade them.

By June, some of Uber’s shareholders were agitating for Mr. Kalanick’s exit. That month, he stepped down under pressure, but has since fought to retain control of several board seats. Benchmark, a venture capital firm that is one of Uber’s earliest investors and had been a supporter of Mr. Kalanick, sued the former C.E.O. for fraud.

A spokeswoman for Mr. Kalanick declined to comment. Bloomberg earlier reported the hack.

Content originally published on https://www.nytimes.com/2017/11/21/technology/uber-hack.html by MIKE ISAAC and KATIE BENNER