Uber data breach – Company pays off hackers to keep quiet

2017 hasn’t exactly been the best year for the 68bn start-up company Uber. The most recent blow to the transport giant’s reputation is the revelation of a covered-up data breach which happened in 2016.

Uber data breachOn Tuesday Uber announced that they had suffered a large-scale data breach where the records of 57 million customers and driver’s data was stolen by two hackers. The hackers stole personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States.

What makes the already terrible situation worse is that instead of notifying authorities, affected customers and employees, they paid the hackers to keep quiet. In their statement Uber confirmed that $100,000 (Around £75,000) was paid to the two hackers to delete the stolen data.


“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

Uber chief executive Dara Khosrowshahi said in a statement acknowledging the breach and cover-up.


American press has reported that the data breach was caused by two hackers obtaining un-encrypted log on credentials. The usernames and passwords were found on a private area of GitHub, an online resource for developers. The hackers used the credentials to access data stored on Uber’s Amazon Web Services account.

This isn’t the first time we’ve seen delays in information regarding large scale data breaches become public. Earlier this year Equifax had been under intense scrutiny after news broke out regarding their 143 million record data breach. Equifax didn’t notify the public for nearly 6 months after the breach happened. What made the situation worse is three of the company’s executives sold nearly $2 million in stocks before the news was announced.

Now that Uber has been the latest name to add to the list of large scale data breaches, is it time for the USA bring in GDPR style data breach reporting laws? Currently the new GDPR regulations are only coming in to affect in Europe as of May 2018. Firms can see fines as large as £17 million or 4% of global revenue, whichever is higher.

If you’re interested in how your company can help protect itself from data breaches or any other cyber security threats, then please contact one of our expert cyber security consultants.

Leave a Reply