(Reuters) – Uber Technologies paid hackers $100,000 to keep secret a massive breach last year that exposed the data of some 57 million accounts of the ride-service provider, the company said on Tuesday.
Discovery of the company’s cover-up of the incident resulted in the firing of two employees who led Uber’s response to the hack, said Dara Khosrowshahi, who was named CEO in August following the departure of founder Travis Kalanick.
Khosrowshahi said he had only recently learned of the breach, which happened in October 2016.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in a blog post on the company website.
The company’s admission that it failed to disclose the breach comes as Uber seeks to recover from sexual harassment allegations and multiple federal criminal probes that culminated in Kalanick’s ouster in June.
The company said two hackers gained access to proprietary information used by Uber and stored on GitHub, a service that allows engineers to collaborate on software code. The two people downloaded the data, which included names, email addresses and mobile phone numbers of Uber users around the world and the names and driver’s license numbers of 600,000 US drivers, Khosrowshahi said.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Bloomberg News first reported the data breach on Tuesday.
Khosrowshahi said Uber had begun notifying regulators. The New York attorney general has opened an investigation into the data breach, a spokeswoman said.
Uber said it fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week because of their role in the handling of the incident. Sullivan, formerly the top security official at Facebook and a federal prosecutor, served as both security chief and deputy general counsel for Uber.
Sullivan declined to comment when reached by Reuters. Clark could not immediately be reached for comment.
Kalanick learned of the breach in November 2016, a month after it took place, as the company was in negotiations with the US Federal Trade Commission over the handling of consumer data.
A person familiar with the breach said a board committee investigated the matter and concluded that neither Kalanick nor Salle Yoo, Uber’s general counsel at the time, were involved in the decision not to disclose the stolen data. The person did not say when the investigation took place.
Kalanick, through a spokesman, declined to comment.
Although payments to hackers are rarely publicly discussed, US FBI officials and private security companies have told Reuters that an increasing number of companies are paying thieves to recover stolen data.
Uber has a history of failing to protect driver and passenger data. Hackers previously stole information about Uber drivers and the company acknowledged in 2014 that its employees had used a software tool called “God View” to track passengers.
Khosrowshahi said on Tuesday that he had hired Matt Olsen, former general counsel of the US National Security Agency, to restructure the company’s security teams and processes. The company also hired Mandiant, a cybersecurity firm owned by FireEye, to investigate the breach.
The new CEO has traveled the world since replacing Kalanick to deliver a message that the company has matured from it earlier days as a rule-flouting startup.
“The new CEO faces an unknown number of problems fostered by the culture promoted by his predecessor,” said Erik Gordon, an expert in entrepreneurship and technology at the University of Michigan’s Ross School of Business.
(Reporting by Jim Finkle in Toronto and Heather Somerville in San Francisco; Additional reporting by Joseph Menn and Stephen Nellis in San Francisco; Editing by Tom Brown, Sue Horton and Lisa Shumaker)