Uber told potential investor about huge data breach before telling public

Share

That information included the names and license numbers of 600,000 drivers in the US, as well as the names, email addresses, and mobile phone numbers of 57 million Uber customers around the world. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes".

That pledge shouldn't excuse Uber's previous regime for its egregious behaviour, said Sam Curry, chief security officer for the computer security firm Cybereason. The WSJ says an investigation by FireEye's Mandiant, a cybersecurity firm, was underway by the time Uber broke the news to SoftBank Group. "Those people responsible for the integrity and confidentiality of the data in-fact covered it up". Some 600,000 USA driver's license numbers were also accessed.

Uber CEO Dara Khosrowshahi reportedly learned about a large data breach at the ride-hailing service two months ago and informed potential investor SoftBank before making the incident public. Equifax waited six weeks to admit to a hack that compromised the personal information of 145 million customers, and Yahoo disclosed a massive data breach involving 500 million accounts late last year - a full two years after the incident occurred.

Mr Edelstein warned Australian Uber users to change their password as a preventive measure, carefully scrutinise messages purporting to come from Uber, and avoid opening email attachments from the company.

As part of his effort to set things right, Khosrowshahi extracted Sullivan's resignation from Uber and also jettisoned Craig Clark, a lawyer who reported to Sullivan.

The New York State Office of the Attorney General has opened an investigation into the breach and a suit seeking class-action status was filed in federal court in California. The ride-sharing company now faces probes from multiple state attorneys general and regulators.

Uber concealed a hack that affected 57 million customers and drivers, the company has confirmed.

'Deliberately concealing breaches from regulators and citizens could attract higher fines for companies, ' Dipple-Johnstone warned, a sentiment echoed by minister for digital Matt Hancock who has opined that there is a 'very high chance' that the company's actions to hide the breach are illegal under United Kingdom law.

"We do not have sufficient confidence in the number that Uber has told us to go public on it, but we are working with the National Cyber Security Centre and the ICO to have more confidence in the figure", he said. Deputy Commissioner of the UK Information Commissioner's, James Dipple-Johnstone made a statement saying that the consistent efforts made by Uber to hide the breach would make Uber pay a huge amount fine.

Uber's data theft and subsequent cover-up would have put the company in breach of Australia's forthcoming "notifiable data breaches" law, due on February 23, which will force organisations to contact victims and report the theft of personal information to the Australian Privacy Commissioner.

Share