Ride-sharing company Uber has admitted that hackers stole personal data, including names, email addresses and phone numbers for 57 million customers and drivers more than a year ago. The hackers also obtained drivers license numbers for 600,000 Uber drivers, but they did not gain access to any social security numbers, credit card numbers or trip information. The company paid the attackers $100,000 not to divulge the information, and it did not disclose the breach at the time, even though it had a legal obligation to do so.
As the first step in the attack, two hackers broke into a private GitHub repository used by the company’s developers. Within the repository, they found login credentials that allowed them to gain access to the company’s Amazon Web Services account. After stealing the data from the cloud computing systems, they emailed Uber asking for money.
Uber has previously been fined for failing to disclose other breaches.
“None of this should have happened, and I will not make excuses for it,” stated Uber CEO Dara Khosrowshahi. “We are changing the way we do business.”