Two high-ranking Uber employees discovered a data breach over a year ago, and instead of reporting it to the proper authorities and letting those who were affected know, the two employees allegedly paid to cover up the breach. They paid the hackers who had broken into their data system $100,000 to stay quiet and to destroy the evidence of the breach.
Uber’s CEO, Dara Khosrowshahi, issued a public acknowledgment of the breach and acknowledged that the two men involved, Chief Security Officer Joe Sullivan and Craig Clark, a senior lawyer, were fired by the company.
The breach included names, email addresses, and phone numbers of people who have used the driving service since its inception. Additionally, the breach included the driver’s license data for Uber employees.
Uber tried to ease the minds of those possibly affected, issuing the following statement: “We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection.”
Khosrowshahi was taken aback by the breach and the misconduct of his employees and indicated that there was no excuse for this happening. “You may be asking why we are just talking about this now, a year later. I had the same question,” he wrote in a statement.
According to USA Today, New York’s Attorney General has opened an investigation into the breach. Bloomberg has reported the breach happened after the information was stored on a website for software engineers called Github.com.
The hackers who were able to get into the website retrieved information for over 7 million users. A similar incident happened to Uber in 2014, and again, the company waited an extended period of time before informing their customers.
The company was fined $20,000 by the Attorney General after the first breach. Once can only imagine what fines and penalties will be handed down by the Attorney General this time after employees also tried to cover the breach.