Uber admitted Tuesday to covering up a massive cyberattack by paying hackers $100,000 so they wouldn’t reveal that they had stolen sensitive information from 57 million customer and driver accounts.
Two hackers reportedly accessed a private Github site used by Uber engineers, stole login credentials, and accessed driver and rider data stored on an Amazon Web Services account. They then asked Uber for money while holding the private information ransom.
The compromised data includes names, email addresses, and phone numbers of more than 50 million Uber riders and 7 million drivers around the world, according to a Bloomberg report. No social security numbers, credit card info, or trip details were obtained in the October 2016 attack.
Uber agreed to pay the fee as long as the hackers stayed quiet and deleted the info. However, instead of abiding by state and federal laws, the ride-hailing company hid the data breach from the public.
Uber admitted that it failed to take the correct actions. Former CEO Travis Kalanick, who was ousted in June following a string of controversies, reportedly knew about the breach in November 2016.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Dara Khosrowshahi, the CEO of Uber who took over this September, told Bloomberg.
Uber, under new management, is desperately trying to make up for past mistakes. It recently fired Joe Sullivan, its chief security officer, and deputy Craig Clark for their handling of the incident.
Uber said it would notify users affected by the breach in the coming days.
Correction: The fired deputy security officer’s name is Craig Clark.