Uber paid hackers, hid data breach affecting 57 million people

The personal information of 57 million Uber riders and drivers was stolen by hackers a year ago — a breach the company reportedly managed to conceal by paying the cyber criminals to destroy the information.

The cyberattack included 50 million Uber riders globally and 7 million drivers in the U.S. The stolen information was mostly limited to names, email addresses and phone numbers, according to a blog post from Uber CEO Dara Khosrowshahi.

However, the driver’s license numbers of 600,000 drivers in the United States were also compromised and Uber is now in the process of sending notifications to those drivers and regulatory authorities.

Forty million riders use Uber every month.

Image: An Uber sign is seen in a car in New York Image: An Uber sign is seen in a car in New York

An Uber sign is seen in a car in New York on June 30, 2015. Eduardo Munoz / Reuters file

The existence of the breach was kept under wraps for a year and was first reported on Tuesday by Bloomberg.

While Khosrowshahi’s blog post does not mention Uber paying off the hackers to destroy the information, the company confirmed to NBC News that it paid two hackers $100,000 as a result of the incident.

Hackers were apparently able to access the user data late last year through a third-party cloud based service used by Uber. When the incident was discovered, Uber’s security team was able to cut off the hackers’ access and was able to identify them and receive “assurances that the downloaded data had been destroyed,” according to Khosrowshahi.

Uber Chief Security Officer Joe Sullivan, who was said to help spearhead the response to the breach, and his deputy are no longer with the company.

Khosrowshahi, who has been at Uber for less than three months, apologized for the incident, which did not happen under his tenure. He said it should have previously been disclosed.

“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it,” Khosrowshahi wrote.

He outlined several steps, including notifying drivers, offering fraud protection and hiring Matt Olsen, former general counsel of the National Security Agency to help consult on how Uber’s security teams and processes should best function.