New Uber CEO comes clean about 2016 hack, claiming data was destroyed and new measures implemented. But can users and drivers be sure?
Uber has admitted it suffered a hack which saw the personal information of 57 million customers and 600,000 drivers stolen back in 2016, but paid $100,000 to conceal the information.
The company is adamant that trip location history, credit card numbers, bank account numbers and dates of birth were not obtained, but other information as well as the names and driver’s licences for US drivers was.
“As Uber’s CEO, it’s my job to set our course for the future, which begins with building a company that every Uber employee, partner and customer can be proud of,” he said. “For that to happen, we have to be honest and transparent as we work to repair our past mistakes.
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.
“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions.”
Khosrowshahi promised Uber would change how it handled security going forward and would notify drivers of the incident. He added that the company had seen no evidence of fraud resulting from the hack.
It has also been reported that Khosrowshahi has sacked the company’s chief security officer and one of his deputies for their roles in hiding the hack, as well as for making the payment.
“None of this should have happened, and I will not make excuses for it,” he added. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Was it actually deleted?
However experts are concerned that the delay in admitting the breach has put customers at risk while there can be no guarantees the data was indeed deleted.
“There is no question that the previous management and security team at Uber failed in their responsibility to their drivers, to regulators, to justice and above all to their customers, and that’s a pretty long list,” commented Rik Ferguson, vice president of cybersecurity at Trend Micro.
“However certain those responsible may have been that their attackers had been silenced, digital theft does not work the same way as in the physical world, you can never ‘buy back the negatives”’once data has been stolen.
“It is heartening to see the new management team come clean about the breach, but I remain concerned at some of the wording in Mr Khosrowshahi’s blog. He appears to distance Uber’s ‘corporate systems and infrastructure’ from the ‘third-party cloud-based service’ that was the target of the breach. This is perhaps indicative of the root of the problem. Cloud services adopted by a business are corporate systems and infrastructure and from a security perspective should be treated as such.
“You can’t outsource accountability.”