App-based private-hire transportation service Uber has been dealt a double blow this week as news of a data breach covering 57 million customers was quickly followed by the revelation that the company had known of the issue for the past year and had paid $100,000 to the attackers to keep the breach quiet.
Uber, already a source of much controversy over its aggressive marketing techniques, use of technological systems which attempt to evade regulatory oversight, insistence that its drivers are not employees, 'surge pricing' which can see fares raised to many times their previous levels during peak times, its provision of loans to purchase vehicles in developing nations which then prove impossible to repay as too many drivers attempt to service too small a target market, its capturing of location data on passengers even after they have exited the vehicle, and several high-profile cases of passengers being attacked by drivers who had not undergone even the most basic of background checks before being admitted to the platform, is now under additional fire over a serious data breach affecting an estimated 57 million of its customers - a breach which the company has been attempting to hide since 2016.
'Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded' writes Dara Khosrowshahi, Uber's chief executive, in the company's announcement. 'However, the individuals were able to download files containing a significant amount of other information, including: The names and driver’s license numbers of around 600,000 drivers in the United States; some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers.'
While Khosrowshahi claims to have only recently learned of the breach, the New York Times details an attempt by executives at the company to cover up the breach - including the payment of a $100,000 ransom to the attackers in exchange for the apparently empty promise that the purloined data would be deleted. While a panicked ransom payment is one thing, however, the company is accused of going still further by tracking the attackers down, giving them non-disclosure agreements to sign, and disguising the payment as a 'bug bounty' payout to legitimate security researchers.
According to the NYT's sources, the deal was brokered by former chief executive Travis Kalanick, still a member of Uber's board of directors despite his ouster from the role in June this year over the company's toxic corporate culture, and since-sacked chief security officer Joe Sullivan.
May 15 2020 | 11:00