Uber Paid Off Hackers In Cover-Up
STEVE INSKEEP, HOST:
Uber is acknowledging a massive data breach. Hackers stole information like names and emails and driver's license numbers of Uber drivers. This all happened about a year ago, but the company only recently acknowledged it after a report in Bloomberg and the way the company kept it quiet is also making news. We'll talk this through with NPR's Aarti Shahani, who's been following this story. Hi, Aarti.
AARTI SHAHANI, BYLINE: Hi.
INSKEEP: So what does Uber say happened here? Who got what?
SHAHANI: OK. So we're talking about 57 million victims total and, as you mentioned, two groups. With Uber passengers, what Uber says is that hackers got names, email addresses and mobile phone numbers. And according to a blog post by the CEO of the company, hackers did not get more personal information than that from passengers - not, like, bank account numbers, Social Security numbers, dates of birth. Now, that said, the second group, Uber drivers, is far worse off - 600,000 of them in the U.S. Hackers got their full names and full driver's license numbers, which is very personal. And, you know, Uber drivers already feel the company doesn't look out for them. That's something that we've reported on.
SHAHANI: Uber has promised to clean up its act, and yet, here is yet another example of Uber, you know, doing their drivers wrong.
INSKEEP: How did we not find out about this for a year?
SHAHANI: (Laughter) It's scandalous. The man at Uber who is in charge of security, his name is Joe Sullivan. According to a source close to the company, Sullivan covered it up and actually paid the hackers $100,000 to delete the data and keep their mouths shut about it. OK, this part is heartbreaking to lots of security experts in Silicon Valley who kind of had Sullivan on a pedestal. They think of him as a role model. He's a former federal prosecutor, a public servant, and he hid this from regulators.
The timing is not arbitrary, OK. This is going down while Uber is negotiating with the Federal Trade Commission, the FTC, over claims that the company misled drivers about something else, about how much they could earn on the job and how the car leasing program actually worked. And also Uber had just agreed to settle another FTC suit around how it handles consumer data. So, you know, there are real incentives in house to keep this hush-hush.
INSKEEP: Yeah. I'm trying to figure out how that $100,000 payment worked. I mean, is that a ransom, and how do you even know that hackers are going to keep their word once they've got your money? I mean, what was he thinking?
SHAHANI: That is a great question, and I wish I could have pried out of Uber a concrete answer to it. It's exactly what we asked. They were not able to provide any details. And obviously, I mean, do you just take their word for it, you know (laughter)?
SHAHANI: And how do you know they didn't make a copy? So we don't have any details there, and that's the right question to be asking.
INSKEEP: So what is Uber doing for the victims here?
SHAHANI: Uber is offering credit card monitoring and identity theft to drivers. It's a nice gesture. It's a standard gesture. It doesn't change the fact that on top of driving and, you know, having to deal with nuisances like returning lost cellphones to passengers, drivers now have to worry about yet another thing - their identity.
INSKEEP: Where's the new CEO in all of this?
SHAHANI: Well, the new CEO, Dara Khosrowshahi, this did not happen on his watch, and in his blog post, he says he learned about the hack only recently. He is letting authorities know, and he kicked out Sullivan as well as another employee involved in the cover-up. You know, now, that said, the former CEO of Uber, Travis Kalanick, it happened on his watch. He continues to be on the board. He continues to exercise influence over the company. And so, you know, I think as Uber tries to clean up its act and get more adults in the room, it's the pressure from outside, whether it's reporting, regulators, courts, that will help to keep them honest.
INSKEEP: Aarti, thanks as always.
SHAHANI: Thank you.
INSKEEP: That's NPR's Aarti Shahani.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.