Uber CEO Dara Khosrowshahi reportedly learned about a large data breach at the ride-hailing service two months ago and informed potential investor SoftBank before making the incident public.
In the breach, which took place in October 2016, hackers stole names, email addresses and phone numbers of 50 million Uber riders and 7 million drivers, and drivers’ license numbers from 600,000 US. Uber drivers, Khosrowshahi said Tuesday on Uber’s blog.
Tokyo-based telecom and Internet company SoftBank already knew.
Uber told the telecom and Internet company, which is seeking to invest about $10 billion in Uber, about the breach prior as part of disclosures about issues that could have material impact on the company.
“We informed SoftBank that we were investigating a data breach, consistent with our duty to disclose to a potential investor, even though our information at the time was preliminary and incomplete,” the company said in a statement Friday.
“Once our internal inquiry concluded and we had a more complete understanding of the facts, we disclosed to regulators and our customers in a very public way.”
Softbank is seeking a deal which would amount to a 14% stake in the privately-held Uber.
In his Tuesday statement, Khosrowshahi, who took over as Uber’s CEO in August 2017, did not say when he learned about the breach. The Wall Street Journal, citing unnamed people familiar with the situation, reported Thursday that Khosrowshahi learned of the breach in September.
Uber declined to comment on that report.
In an earlier statement, Khosrowshahi — the ex-Expedia CEO brought in to clean up the fast-growing company that was hobbled by a toxic corporate culture and ethical lapses — had expressed surprise that the hack was only coming to light now.
“You may be asking why we are just talking about this now, a year later. I had the same question,” Khosrowshahi wrote.
He said that a year ago, Uber had taken “immediate steps to secure the data and shut down further unauthorized access by the individuals,” including “assurances that the downloaded data had been destroyed.”
It did so by paying hackers who had taken the data $100,000 to delete it and remain silent about it, Bloomberg reported Tuesday. Uber declined comment on the report.
Its delay in informing the public — and the unusual move of paying off hackers— had already raised the ire of some regulators.
The New York State Office of the Attorney General has opened an investigation into the breach and a suit seeking class-action status was filed in federal court in California.
Uber failed to protect consumers personal information and did not “provide timely and accurate notice to them that their Private Identifiable Information was compromised as a result of the data breach,” the suit reads.
Khosrowshahi, said that the company had fired two individuals “who led the response to this incident.” Those employees were chief security officer Joe Sullivan and Craig Clark, a senior lawyer who reported to Sullivan, according to Bloomberg.
The company has notified its drivers who had their license numbers stolen and is providing protection against credit and identity theft, Khosrowshahi said.
As for Uber customers, he said, “While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.”