Uber is coming clean about its cover-up of a year-old hacking attack that stole personal information about more than 57 million of the beleaguered ride-hailing service’s customers and drivers. So far, there’s no evidence that the data taken has been misused, according to a Tuesday blog post by Uber’s recently hired CEO, Dara Khosrowshahi.
Part of the reason nothing malicious has happened is because Uber acknowledges paying the hackers $100,000 to destroy the stolen information. The revelation marks the latest stain on Uber’s reputation.
Khosrowshahi criticized Uber’s handling of its data theft in his blog post, “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
The heist took the names, email addresses and mobile phone numbers of 57 million riders around the world. The thieves also nabbed the driver’s license numbers of 600,000 Uber drivers in the U.S.
Sophos‘ Principal Research Scientist Chester Wisniewski, said, “Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organizations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments.”