Insisting that it is “changing the way we do business,” Uber announced Tuesday that it fired its chief security officer and another employee after revealing it paid the hackers behind a security breach last year that exposed the personal information of millions of people to keep quiet about the incident.
Until Tuesday, Joe Sullivan directed a security team at Uber that covered up an October 2016 incident in which two people figured out how to get into Uber’s Amazon Web Services account through credentials pilfered from a Github site used by its engineers, accessing the personal information of 57 million customers and 7 million of its drivers, according to Bloomberg. New Uber CEO Dara Khosrowshahi said that drivers’ license numbers were accessed in the breach, which Uber concluded after a recent investigation into the incident was legally required to report to federal authorities.
It did not.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said in a statement. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Uber does not believe that any credit card numbers or location history data was accessed in the incident, which it stressed did not involve any breach of its own systems. It’s not clear how the attackers managed to get into the Github accounts of Uber employees, and it’s not clear if the data was ever used or sold to another party, although Uber seems confident that its $100,000 actually resulted in the deletion of the data.
And just to add another layer, the payment and cover-up took place around the same time Uber was negotiating a settlement with the U.S. government over earlier privacy snafus, which obviously might have gone in a different direction had regulators known of the incident. Sullivan, who joined Uber in 2015 after a five-year stint as Facebook’s chief security officer, was in charge of responding to the incident, according to the report.
Khosrowshahi’s frustration with Uber’s culture prior to his arrival shone in his statement.
You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions.
Some of those actions include restructuring Uber’s security department, which means that nearly every part of Uber has been turned upside down since founder Travis Kalanick was ousted as CEO in June. The pioneering ride-sharing company has raised an incredible amount of money valuing the company around $70 billion as it attempts to bring its service to every part of the world, and it has long cultivated a defiant reputation when it comes to pesky things like laws.