News

Uber paid off hackers who breached 57 million user accounts

The cyber breach occurred last year but has also just been reported.
The cyber breach occurred last year but has also just been reported. The cyber breach occurred last year but has also just been reported.

Investigators are working to establish how many British Uber customers had personal information hacked during a mass data breach covered up by the taxi-hailing firm.

The Information Commissioner’s Office (ICO) warned Uber it faced “higher fines” for concealing details of the hack, which affected 57 millions drivers and customers worldwide.

In an extraordinary admission made by the US firm’s chief executive on Tuesday, it was revealed a third-party cloud-based service had been infiltrated by cyber criminals.

Dara Khosrowshahi, who took over in August, said two individuals outside the company “inappropriately accessed user data” in late 2016.

This included names, email addresses and mobile phone numbers, as well as the names and number plates of 600,000 drivers in the US.

Uber hack
Uber hack
(Yui Mok/PA)

Uber suppressed the incident by paying 100,000 US dollars (£75,500) to hackers so they would delete the data and keep the breach quiet, Bloomberg reported.

The ICO has been working alongside the National Cyber Security Centre (NCSC) to assess the scale of the problem for British users.

James Dipple-Johnstone, deputy commissioner of the information watchdog, said: “Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.

“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.

“We’ll be working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, how it has affected people in the UK and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.

“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”

Uber accused by police
Uber accused by police
(Lauren Hurley/PA)

Mr Khosrowshahi said there had been “no indication” trip history, credit card details, bank account numbers or dates of birth were downloaded by the hackers.

He wrote in a blog post: “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals.

“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”

Uber reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the breach did not get out.

The New York Times said company executives had then dressed up the breach as a “bug bounty”, the practice of paying hackers to test the strength of software security.

Affected accounts have been flagged for additional fraud protection, Mr Khosrowshahi said.

“None of this should have happened, and I will not make excuses for it,” he wrote.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

Downing Street said UK authorities were not informed of the hack at the time of its initial discovery by Uber last year.

Prime Minister Theresa May’s official spokesman said: “These are obviously concerning reports and the National Cyber Security Centre is working closely with domestic and international agencies, including the National Crime Agency and the Information


Commissioner’s Office, to investigate if and how this breach has affected people in the UK.

“It is a worldwide incident and it is unclear at this stage which countries were affected by the hack.

“What we do know is, based on current information, we have not seen evidence that financial details have been compromised.”

The spokesman said that Uber “did not notify individuals in the UK, the UK Government or UK regulators” at the time the hack was discovered in October last year.

He said that, as soon as it became aware of the incident, the NCSC had “reached out to international partners” to get a better understanding of any potential threat, adding: “That work is ongoing.”