News & Comment » Nation & World

Uber Breach, Kept Secret for a Year, Hit 57 Million Accounts

by

Don Creery, who drives for both Uber and Lyft, drives in Seattle. - RUTH FREMSON/THE NEW YORK TIMES
  • Ruth Fremson/The New York Times
  • Don Creery, who drives for both Uber and Lyft, drives in Seattle.

By MIKE ISAAC, KATIE BENNER and SHEERA FRENKEL
© 2017 New York Times News Service

SAN FRANCISCO — In November 2016, Uber executives faced an expensive — and risky — decision.

Two hackers had stolen data about the company’s riders and drivers — including phone numbers, email addresses and names — from a third-party server, putting the personal data of more than 57 million people at risk. The hackers approached Uber and demanded $100,000 to delete their copy of the data, according to several current and former employees, who spoke on the condition of anonymity because the details are private.

Uber acquiesced to the demands. Under the orders of Travis Kalanick, who was then its chief executive, and Joe Sullivan, the chief security officer, the company paid the ransom.

The details of the attack remained hidden until Tuesday, when the ride-hailing company disclosed the breach after it was discovered as part of a board investigation into Uber’s business practices. Sullivan and one of his colleagues were fired. Kalanick was pushed out in June after a series of scandals led to his falling out of favor with major shareholders, although he remains on Uber’s board of directors.

The breach at Uber is far from the most serious exposure of sensitive customer information. The two hacks that Yahoo announced in 2016 eclipse Uber’s in size and an attack disclosed in September by Equifax, the consumer credit reporting agency, exposed a far deeper trove of personal information for a far larger group of people.

But the handling of the hack underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws. The New York attorney general’s office said on Tuesday that it had opened an investigation into the matter.

Dara Khosrowshahi, who was chosen to be chief executive of Uber in late August, said he only recently learned of the breach.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in a company blog post.

A spokeswoman for Kalanick declined to comment.