As bad as that is, the problem was even worse for more than 600,000 of the company’s drivers who had their driver’s license numbers hacked, too.
Standard protocol is that when a breach like this occurs, the company will engage law enforcement officials as appropriate, hire a third-party security firm to help with the forensic investigation and notify their consumers.
Unfortunately, that’s not the path Uber chose to take. Instead, they paid the hackers $100,000 in exchange for keeping quiet about the hack and deleting the stolen data.
The company kept the incident under wraps for more than a year, but eventually, word of the attack leaked out, and the fallout has been catastrophic. Uber’s CEO Dara Khosrowshahi has asked for the resignation of the company’s Chief Security Officer, Joe Sullivan, and one of his deputies, Craig Clark, both of whom worked to keep the attack quiet.
In a formal statement, Khosrowshahi had this to say:
“None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
As is common in the aftermath of events like these, Uber is offering its impacted customers a free year’s worth of credit monitoring services and will likely force password changes for its app users. More than a year too late, but it’s something.
File this away under how not to handle a data breach.