Uber reportedly paid the hackers $100,000 to delete the stolen data and keep quiet about it.
Uber is only now going public about an October 2016 data breach that affected the data of Uber drivers as well as 57 million users, exposing their names, email addresses and mobile phone numbers.
Uber's new CEO Dara Khosrowshahi said Tuesday that he only recently learned about the incident, which Uber discovered in November 2016. "You may be asking why we are just talking about this now, a year later," wrote Khosrowshahi, who was hired in August. "I had the same question, so I immediately asked for a thorough investigation."
Uber found that "two individuals outside the company" accessed user data—including the names and driver's license numbers of 600,000 drivers in the US—via a third-party cloud service.
"We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed," Uber's CEO wrote.
According to Bloomberg, Uber paid the hackers $100,000 to delete the data and stay quiet.
No trip location history, credit card numbers, or other sensitive data like Social Security numbers were downloaded by the hackers, Khosrowshahi said. Uber is now notifying drivers affected by the breach and monitoring affected user accounts with additional fraud protection. So far, Uber has found no evidence of fraud or misuse related to the breach.
However, it's unclear why Uber didn't alert regulatory authorities. Most states, including California, have laws that demand companies disclose data breaches when they affect local residents' personal information.
"None of this should have happened, and I will not make excuses for it," according to Khosrowshahi, who fired the two people who led the company's response to the breach. That includes Uber's chief security officer Joe Sullivan, Bloomberg says.
"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Khosrowshahi said.
Uber did not immediately respond to a request for comment.
