Ride-sharing provider Uber has admitted that it concealed a hack affecting 57 million customers and drivers in the latest major cyber-attack to be unveiled.
The 2016 was hidden by the firm, which agreed to pay hackers $100,000 to delete names, email addresses and mobile phone numbers of millions of customers, according to a report from Bloomberg, which first broke the news.
In a statement, Uber chief executive Dara Khosrowshahi said the October 2016 attack was identified in December 2016. Khosrowshahi, who took charge of the company in September, said he had launched an investigation into the attack has soon as he found out about it, apologising for it.
"While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection," Khosrowshahi said. “None of this should have happened, and I will not make excuses for it.
"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
Reportedly, the attacks accessed GitHub, a code repository service which was being used by Uber developers.
The hack has already cost Uber chief security officer Joe Sullivan, and a number of his associates, their jobs, according to some reports, because they sought to keep it quiet.
The news comes after a tough year for Uber, in which founder and CEO Travis Kalanick stepped down following a sexual harassment storm at the company and Transport for London refused to renew its license.
The company is currently in talks with a consortium led by Japanese telecoms giant SoftBank over an investment that could be worth up to $10 billion according to some reports.
The UK’s Information Commissioner’s Office, which deals with data breaches impacting UK customers and enforces data protection laws, said the Uber announced “raises huge concerns about its data protection policies and ethics”.
James Dipple-Johnstone, ICO deputy commissioner, added: “We'll be working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, how it has affected people in the UK and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.
"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies."
Christopher Day, chief cyber security officer at Cyxtera, said: “Uber's disclosure on November 21 that they were breached one year ago and paid attackers to delete the data is disturbing on multiple levels. At a minimum, it flies in the face of ethics and transparency. Paying criminals further emboldens them and keeps the cybersecurity community from understanding techniques that could help other organizations prevent a similar attack.
"From a legal perspective, Uber failed to properly notify victims. This will inevitably cost the company dearly in terms of penalties and lawsuits. In fact, UK regulators are digging in already to understand the scope; which could trigger GDPR-related fines. The New York State Attorney General’s office is also investigating the event.
The decision to conceal the decision echoes Verizon’s takeover of Yahoo, which was completed earlier this year, in which the internet giant disclosed two massive data breaches after a deal had been struck.
The breaches – which hit around 500 million and up to 3 billion customers respectively – were not disclosed prior to the $4.9 billion takeover agreement, even though reports claimed some at Yahoo were aware of the attacks months earlier. Verizon ultimately received a $350 million discount on its purchase price.