Uber hid hack that exposed data of 57 million users, drivers

New Uber CEO Dara Khosrowshahi says the breach happened in October 2016.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Laura Hautala
Dara Kerr
2 min read

Uber revealed Tuesday that hackers stole data on 57 million drivers and riders in October 2016, the ride-hailing company said on Tuesday. 

The pilfered data included personal information such as names, email addresses and driver's license numbers, the company said. Social Security numbers and credit card information, however, didn't appear to have been compromised.

Dara Khosrowshahi, Uber's new CEO, and the company said in a trio of statements that he learned of the breach "recently," but the company had discovered it in November 2016. Uber paid $100,000 for the data thieves to delete the information at the time.

The data was stored on an Amazon Web Services cloud account, and "two individuals outside the company" accessed and downloaded the information, he said. The company believes the data has since been deleted, he added, and there are no signs of fraud stemming from the breach.

The company now believes it had a legal obligation to disclose the breach.

"None of this should have happened, and I will not make excuses for it," Khosrowshahi said. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."

Uber said it doesn't think riders need to worry. The company thinks about 600,000 drivers were affected, and it's offering them credit monitoring and identity theft protection.

By all accounts, Uber has had a terrible year. It's been wracked with scandals and saw a spectacular fall from grace that led to the ouster of its former CEO Travis Kalanick and five separate Department of Justice investigations.

Since Khosrowshahi was appointed in August, the company has been getting back on its feet. But, Khosrowshahi has a lot to clean up. Uber is dealing with a slew of lawsuits brought by investors, drivers and passengers. The company is still also ironing out kinks with regulators in major cities, like London, Sao Paulo and Copenhagen.

This isn't the first hack into Uber's data. The company was hit with a cyberattack in May 2014 that put up to 50,000 former and current Uber drivers' personal information at risk. The company was slow to reveal that attack too. It didn't announce the attack until eight months after it was discovered.

In its information page for drivers, Uber said it didn't tell drivers right away when it found the problem. "We think this was wrong, which is why we are now taking the actions we've described," the company said.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.