The ride-hailing giant admitted that it tried to sweep a significant security breach under the rug which affected millions of customers and drivers.
On Tuesday, the company revealed that it had paid off a team of hackers who stole the personal information of over 57 million users and drivers, whilst concealing the global data breach from those affected and failing to notify the authorities.
Uber is a widely popular car-hailing app that offers its service in 633 cities worldwide and is used by 40 million unique riders each month.
In a public statement acknowledging the incident, Uber’s recently installed chief executive Dara Khosrowshahi confirmed that the $68 bln startup suffered a considerable security breach in October 2016, when cyber criminals managed to obtain personal data of its customers and employees, such as names, email addresses and phone numbers as well as drivers’ license numbers.
“None of this should have happened, and I will not make excuses for it,” a statement from Khosrowshahi read.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
According to Bloomberg, the breach supposedly occurred when the hackers acquired login credentials to access personal data that was stored on the company’s Amazon Web Services account.
The fact that such sensitive data was unencrypted and so poorly protected led to a number of digital security professionals blasting Uber for its “unforgivable” unprofessionalism.
CEO of cybersecurity firm BullGuard Paul Lipman said that Uber’s failure to take basic security precautions was “just a complete misstep from an information security viewpoint,” according to the Guardian.
READ MORE: No Riders: Uber Stripped of London License Over Security Concerns
But it was not just Uber’s failure to protect its customers’ data that caused the uproar about the company’s behavior. The car-sharing app was also slammed for trying to conceal the entire incident from its users, drivers and the US government.
Instead of notifying those affected and reporting to the incident to law enforcement authorities as they are required to by law, Uber tried to save face and pay off the criminals responsible, transferring $100,000 in exchange for the hackers’ promise to delete the data and keep quiet about the breach.
Khosrowshahi tried to calm the victims of the breach by promising that the company had “obtained assurances that the downloaded data had been destroyed” and upgraded its security to prevent further breaches.
However, this might not be enough for the affected users and drivers, who learned about the breach from the media rather than from Uber itself.
Uber driver Robert Judge, quoted by the Guardian, said that “the hack and the cover up is typical Uber only caring about themselves”.
“I found out through the media. Uber doesn’t get out in front of things, they hide them.”
In its response to the public outcry, the company promised to provide every affected driver with free credit monitoring and identity theft protection.
Khosrowshahi also said that the “failure to notify affected individuals or regulators” led to him firing two employees, who were responsible for the cover-up.
According to Bloomberg, the company’s chief security officer Joe Sullivan was fired by Khosrowshahi for the botched response to the 2016 hack.
However, Uber already has a long history of run-ins with the law, suggesting that the problem is institutional rather than the fault of two individuals
This June, Travis Kalanick, Khosrowshahi’s predecessor as Uber’s chief, stepped down after the company was rocked by allegations of tolerating a culture of sexual harassment at the work place and deceiving law enforcement officials trying to investigate its activities.
The New York state Attorney General has reportedly opened an investigation into the 2016 cyber security breach.
Uber’s users, however, were not content with the company’s approach to handling the theft of their personal data and went to twitter to voice their concerns.