Uber is giving Equifax a run for its money.
The ride-sharing behemoth covered up a hack that hit 57 million users for more than a year, according to a new report from Bloomberg. Names, email addresses, and mobile phone numbers were taken by two hackers able to reach Uber’s third-party cloud service. The data breach also impacted seven million Uber drivers, including 600,000 in the U.S.
Credit card information, location history and social security numbers were not part of the hack, Uber told Bloomberg.
Compounding matters, Uber failed to report the hack to state or federal regulators until Tuesday — a year after it was first spotted.(Companies are compelled by local and federal laws to report hacks.) Ex-CEO Travis Kalanick learned of the breach in Nov. 2016, about a month after it happened. Uber paid the hackers $100,000 to delete the stolen info and keep quiet about it.
Uber acknowledged the hack in a blog post from CEO Dara Khosrowshahi on Tuesday afternoon.
“None of this should have happened, and I will not make excuses for it,” said Khosrowshahi, who joined the company in August. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Khosrowshahi asked Joe Sullivan, chief security officer, for his resignation this week, and fired a “senior lawyer” that reported to him, according to Bloomberg; the chief exec alluded to this in his blog, saying the two individuals that “led the response” were no longer with the company.