Ride-hailing giant Uber on Tuesday revealed a massive data breach that occurred over a year ago but never came to light because the company conspired to keep it hidden.
The incident is the latest black eye for a company that, despite its massive popularity, has been recovering from a series of scandals that caused Uber’s investors to force out former CEO Travis Kalanick in June.
“None of this should have happened, and I will not make excuses for it,” said Dara Khosrowshahi, who took over for Kalanick as CEO, in a blog post.
The breach, which Uber said occurred in “late 2016,” exposed some personal information on 57 million Uber users but didn’t compromise riders’ location history, financial information or Social Security numbers, according to the company. The hackers did make off with the names and driver’s license numbers of around 600,000 of the company’s U.S. drivers.
However, after discovering these thefts, the company took several unusual — and potentially legally questionable — steps. Instead of alerting victims, authorities and regulators, executives kept the information under wraps.
According to Bloomberg, they even paid the hackers $100,000 to destroy the stolen data in the hopes of keeping it off the black markets, where a researcher might discover it and alert the public.
“You may be asking why we are just talking about this now, a year later. I had the same question,” Khosrowshahi said, adding that he “immediately” launched an investigation upon recently learning about the cover-up.
As a result of the company’s examination, Uber has fired two of the people “who led the response to this incident,” Khosrowshahi said.
Bloomberg reported that one of the ousted individuals is Chief Security Officer Joe Sullivan, who was already under scrutiny for some of his other work at Uber.
Uber’s silence at the time of the digital break-in also raises eyebrows because it came just as the Silicon Valley stalwart was negotiating with the U.S. Federal Trade Commission over a complaint about the company’s handling of consumer data. Uber eventually settled with the FTC in August of this year, promising to implement a “comprehensive privacy program.”
The breach discovery also came shortly after Uber settled a lawsuit with the New York attorney general over its failure to judiciously disclose a 2014 breach.
It’s unknown whether Uber will face new legal or regulatory scrutiny over this latest revelation.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.
Uber said it had not seen evidence the digitally pilfered information had resulted in any fraud, but vowed to monitor the victims’ accounts for “additional fraud protection.”
Still, the news is likely to draw the ire of lawmakers and consumer rights advocates, who have pilloried digital malfeasance at other recently breached companies, most notably Equifax. The credit rating bureau earlier this year revealed a digital intrusion that put 145 million Americans’ sensitive information at risk, leading to a spate of Capitol Hill hearings where lawmakers admonished company executives for basic digital shortcomings and delays in notifying breach victims.
Khosrowshahi insisted Uber is being proactive about rectifying its failures.
“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers,” he said.