According to a new report from Bloomberg, Uber suffered a massive data breach last year that exposed the personal data of 57 million customers and drivers.
The attack occurred in October 2016 and included the personal information of 50 million riders and 7 million drivers. Personal information of drivers included about 600,000 U.S. driver’s license numbers.
Uber said that social security numbers, credit card details, trip location and other sensitive information was not stolen in the hack.
The pair of hackers reportedly accessed a private GitHub repository that was used by Uber’s software engineers. By accessing the code base, the hackers were able to get credentials to access the company’s Amazon Web Services account and obtain an archive of user data.
Uber was obligated to inform authorities of the breach, and alert drivers whose license information was stolen, but the company instead chose to pay $100,000 to delete the data. In a statement, Uber CEO Dara Khosrowshahi said:
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
Uber’s efforts to conceal the hack were led by chief security officer Joe Sullivan, who has since been ousted from the company. Uber also let go of Craig Clark, a senior lawyer who worked with Sullivan.
Matt Olsen, a former member of the general counsel at the National Security Agency, has been hired to help the company restructure its security teams.