The basic strategy of most nefarious hackers is to take a bunch of data, tell your victim you have their data, and then demand some kind of ransom in exchange for keeping the hack secret. Unfortunately, it seems like most hacking victims don’t pay the ransoms, because the threat of having customer data released isn’t a particularly big deal for some reason while the thrill of being able to say “we don’t negotiate with terrorists” or whatever is far too enticing to ignore. Today, Bloomberg has revealed that Uber actually caved to hackers in 2016, giving them $100,000 to keep quiet about a major security breach.
The reason this has come out now is that Uber’s new CEO Dara Khosrowshahi—who is replacing disgraced former CEO Travis Kalanick—presumably found out about it recently, and he just dumped the company’s chief security officer and one of his deputies for their involvement in keeping the hack a secret. Bloomberg says the hackers managed to get the names, email addresses, and phone numbers of 50 million Uber users, along with the personal information of nearly 10 million drivers. Supposedly, no Social Security numbers, credit card numbers, or trip data (like home addresses) were taken.
In a statement, Khosrowshahi said, “none of this should have happened, and I will not make excuses for it.” He also added, “we are changing the way we do business,” which is probably a smart concept for Uber in general since the company is famously terrible. Also, as suggested by Bloomberg, the company may have broken the law by not notifying people of the hack, since various state and federal laws demand that hacked companies make it public when driver’s license data is breached—which it was.
Just in case this all wasn’t bad enough for Uber, Bloomberg notes that this hack happened right around the same time that the company had to pay a $20,000 fine to the New York attorney general for not disclosing a different data breach, so maybe it’s an especially good idea for the new CEO to start cleaning things up.