Uber Says Hackers Stole Personal Data Of 57 Million Users
ELISE HU, HOST:
Leaders at Uber hid a major hack that exposed the data of 57 million people - users and drivers - for more than a year. The company's new CEO just reported that breach to federal officials and fired his employees in charge of the cover-up. Here to talk about this with us NPR tech reporter Aarti Shahani. Aarti, what happened?
AARTI SHAHANI, BYLINE: (Laughter) It's breathtaking. Dara Khosrowshahi published a blog post today after Bloomberg broke the story. He says just recently he learned about the breach. It happened in late-2016 before he took over the company. He said hackers managed to crack into an online safe and download some information, the names and driver's license numbers of around 600,000 drivers in the United States. And then in terms of passengers - in terms of riders, hackers got names, email addresses, mobile phone numbers.
You know, we're talking 57 million victims total. Khosrowshahi said that the company investigated, and they did not see any indication that things like trip location history or credit card numbers or bank account numbers or Social Security numbers or dates of birth were stolen. But he also does say that, you know, Uber should have informed regulators about it.
HU: Yeah. And this cover-up is also rather surprising. Tell us more about that.
SHAHANI: (Laughter) Yeah. This is quite a detail. The man at Uber who was in charge of security - his name is Joe Sullivan - he covered it up according to the Bloomberg report. He didn't let government officials or the public or victims know. And you know, the remarkable detail from the report is that Uber actually paid the hackers a hundred thousand dollars, OK? They paid the hackers to delete the data and keep their mouths shut about it.
Sullivan is a man I've interviewed in the past both when he was over at Facebook and then at Uber. He's a former federal prosecutor, a former public servant. And you know, he had an interesting approach to his job. For example, he felt like it was OK for Uber to start using the sensors on drivers' smartphones to track how they drive, how they perform on the job even though many drivers were not aware of this practice and didn't like it. It turns out he didn't feel an obligation to disclose to them that their data was taken either.
HU: So what's happening to him, this chief security officer you're talking about?
SHAHANI: Well, Uber let go of Sullivan and one of his lieutenants this week. And I think Khosrowshahi is trying to send the message to his employees and investors of, hey, I know Uber has had some very shady business practices, but really we are turning a corner here. And this is really damaging news for Uber. The company just lost a major appeal over in London, OK? The courts there decided Uber has been misclassifying their workers. Uber says everyone who drives for them is a contractor, not an employee. The U.K. court found that to not be true, a legal fiction. Uber is going to fight that ruling.
But it is an indicator of how regulators and courts around the world are scrutinizing the company. And Uber - you know, it can't take for granted its business model. It's not there anymore. And of course, you know, over in the U.S., Uber has been under scrutiny for privacy violations, intentionally concealing its service from public sector workers who want to regulate the company and whatnot.
HU: What about the victims, Aarti? What is Uber telling the victims of this hack?
SHAHANI: Well, they're doing what every company seems to do after a breach, what Equifax and Yahoo and others have done. They're offering free credit monitoring. Now, whether or not that's effective to block identity theft - that remains to be seen. But it is the standard courtesy these days.
HU: NPR's Aarti Shahani speaking to us from San Francisco. Aarti, thank you.
SHAHANI: Thank you.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.