57 Million People Should Know That Uber Got Hacked Last Year

It’s been a bad few months for Uber. Issues of drivers, of internal corporate culture, and more have hit the company up one side and down the other. Now, there’s actually a bigger problem afoot: bad enough that Uber had been hit by a data breach, but the event took place over a year ago, and we’re only just now finding out about it.

Perhaps even worse than this is the revelation that not only was Uber hacked, but why the reports are only just now coming out; turns out that Uber’s chief security officer, at last report, not only kept the breach quiet—not telling the 57 million users who had been impacted by the hack in one way or another—but also paid hackers $100,000 to delete the information taken.

The 57 million number includes 50 million who had names, phone numbers and email addresses exposed. Nothing particularly big; most of that information is publicly available anyway. However, it got worse; around seven million had personal information exposed, including 600,000 driver’s license numbers, which could be downright disastrous.

Uber itself noted that the really sensitive stuff—credit card information, Social Security numbers and the like—hadn’t been touched in the breach. Plus, Uber fairly rapidly fired its wayward security chief as well as a senior lawyer who reported to same for their roles in the breach.

While Uber’s corporate culture definitely hasn’t been anything to write home about, and its issues with its “independent contractors” are certainly problems in their own right, this might have been the kind of thing that should have been addressed faster. It would have been bad enough had they just now found out about it, but engaging in a large-scale cover-up for around a year or so is almost ludicrous.

This is the kind of thing that could torpedo trust in mobile payments. Breaches happen. We know they do. It’s a part of online life, and we work to protect ourselves accordingly. But when the breach target doesn’t fill anyone in for a year and instead tries to cover it up by paying off people who steal data to basically double-pinky-swear they’ll delete that data, it’s a much bigger problem than anyone might have seen coming.