Uber has ousted its chief security officer after it was revealed that the company “covered up” a massive cyberattack that compromised the personal information of more than 57 million users.
Chief security officer Joe Sullivan and deputy Craig Clark both resigned recently in response to the attack, which was disclosed earlier today by Bloomberg News reporter Eric Newcomer. The cyberattack is believed to have affected more than 50 million users and seven million drivers.
Uber CEO Dara Khosrowshahi, who replaced founder Travis Kalanick as CEO earlier this year, stated that “none of this should have happened,” referencing the attempt by Uber to hide the full effects of the hack. He also stated that Uber “will not make excuses” for the decision.
According to reports, former CEO Travis Kalanick was informed of the hack late last year. Uber did not disclose any information about the cyberattack to its drivers or users, potentially creating privacy issues for its customer base.
The hacked data included the names, phone numbers and email addresses of approximately 50 million Uber customers. Around seven million drivers were affected, with driver’s license data for approximately 600,000 people compromised.
The hackers reportedly targeted Uber’s Amazon cloud account, “breaking in” to the company’s online records. Uber paid out $100,000 to the hackers to ensure the security break-in wouldn’t become public and prevent the data from being shared with others.
Sullivan, who has attracted much of the public attention for the “coverup” of the hack, joined Uber in 2015. He previously worked for Facebook as an online security specialist, as well as auction platform Ebay.
Uber representatives have publicly stated that the hack did not affect sensitive user data, such as credit card numbers, location information or bank account data. The hackers also failed to access private personal information such as social security numbers or birth dates.
Uber’s failure to disclose the hack could potentially have legal repercussions for the company. In California, where Uber is based, companies are required by law to report any data breach that affects more than 500 residents of the state.
Downplaying the impact of the hack, Khosrowshahi stated that Uber “obtained assurances that the downloaded data had been destroyed” by the hackers, and that the company has since taken steps to improve its digital security.
Uber will also offer free identity theft protection and credit monitoring services to its drivers to limit the effects of the cyberattack. The company’s statement on the hack and its outcome can be read here.
The 2016 hack could be the latest legal issue in a long list of problems for Uber, which has been plagued by sexual harassment claims over the past year. The New York state attorney general’s office has reportedly opened an investigation into the company’s slow response to the hack.
Other companies have been fined hundreds of millions of dollars for similar data breaches that affected large numbers of users. A 2015 security breach at Anthem Inc cost the company over $115 millions in fines and settlements.