Some 57 million Uber users’ personal information was exposed in October 2016 when the car-hailing company experienced a cyber attack, the company announced Tuesday — more than a year after the occurrence of the incident.
Bloomberg reported the company paid $100,000 to the hackers responsible for the attack to keep the breach private.
Dara Khosrowshahi, Uber’s new CEO who was appointed by the board in August, said in a statement that two people outside the company “inappropriately accessed user data stored on a third-party cloud-based service that we use.”
The attackers stole data of the 57 million people across the globe, including their names, email addresses and mobile phone numbers. About 600,000 U.S.-based drivers were among 7 million Uber drivers whose license numbers and names were exposed in the breach.
The data breach was the latest in a string of high profile cyber attacks that weren’t revealed until months or years later. Fortunately, it doesn’t appear that Uber users have to worry about any of their financial information being exposed. Khosrowshahi said no evidence indicated that trip location history, credit card numbers, bank account numbers, or dates of birth were stolen.
What was done?
After the attack happened, Uber “took immediate steps” to safeguard the data and blocked further unauthorized access to the information, according to Khosrowshahi. The company identified the hackers and made sure the exposed data had been destroyed. Security measures were also taken to enhance control on the company’s cloud storage.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
The company let go two employees who led the response to the incident on Tuesday, according to the statement. Uber is also reporting the attack to regulatory authorities.
What can you do?
Uber said no evidence shows fraud or misuse connected to the data breach.
Check out our guide on credit freezes and other steps you can take to protect your identity if personal information is compromised in a data breach.
If you are an Uber rider…
The company said you don’t need to take any action. Uber is monitoring the affected accounts and have marked them for additional fraud protection, Khosrowshahi said. But you are encouraged to regularly monitor your credit and Uber accounts for any unexpected or unusual activities.
If anything happens, notify Uber via the Help Center immediately. You can do this by tapping “Help” in your app, then “Account and Payment Options” > “I have an unknown charge” > “I think my account has been hacked.”
If you are an Uber driver…
If you are affected, you will be notified by Uber via email or mail and the company is offering free credit monitoring and identity theft protection.
You can check whether your Uber account is at risk here.