NEW YORK (CBSNewYork/CBS News) — Hackers have stolen personal data from 57 million Uber customers and drivers, the ridesharing app said Tuesday.
The stolen information includes names, home addresses, mobile phone numbers and emails of 50 million people who have used Uber around the world. The breach also exposed the driver’s licenses and other information for roughly 7 million drivers for the company, including 600,000 in the U.S.
No Social Security numbers, credit card numbers, bank account numbers, birth dates or trip location data were taken, Uber said, adding that it hasn’t seen evidence of fraud related to the breach. The company said it is monitoring affected accounts for signs of misuse.
“We do not believe any individual rider needs to take any action,” Uber said, while encouraging users of the service to monitor their credit and accounts.
Bloomberg first reported news of the hack. The news service also said Uber concealed the attack for more than a year.
“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who Uber named as chief executive officer in September, said in a statement. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
In a statement, Khosrowshahi said he “recently” learned that Uber in late 2016 discovered that two individuals outside of Uber accessed user data housed on third-party internet cloud services the company uses. The hack didn’t penetrate Uber’s corporate systems or infrastructure, he said.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” he said. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
Uber also tightened security for its cloud-based storage systems, according to the company.
A source said the hack Uber did not report the hack to law enforcement when it first happened.
A source familiar with the hack and the initial investigation also said Uber paid the supposed hackers $100,000 to delete the stolen data. It is not clear whether the hackers did so, the source said.
Khosrowshahi acknowledged that Uber had failed to inform Uber users that their data been stolen in a timely manner, saying he initiated an investigation of the incident and of how Uber handled it.
“Effective today, two of the individuals who led the response to this incident are no longer with the company,” he said.
Bloomberg reported that Uber Chief Security Officer Joseph Sullivan and one of his deputies had been ousted in connection with the breach.
Uber said it will individually notify drivers for the company whose license numbers were stolen and also provide them with free credit-monitoring and identity theft protection.