Uber paid hackers $100,000 to cover up a 2016 cyberattack that exposed the personal data of 57 million people, including both riders and drivers, Bloomberg’s Eric Newcomer reported Tuesday.
The data breach, which occurred in October 2016, was not made public until Tuesday when Uber quietly published a blog post about the incident. But Uber’s former CEO Travis Kalanick was made aware of the breach just a month after it occurred.
“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who joined Uber as CEO in September, wrote in the post. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Among the info stolen was trove of data including the names, emails, and phone numbers for 50 million riders globally, as well as the personal information of 7 million drivers. This included US driver’s license numbers, but no Social Security numbers, according to Uber.
Two of the people responsible for Uber’s handling of the breach are no longer with the company as a result of the findings, Khosrowshahi wrote in the post.
One of them is Joe Sullivan, Uber’s chief security officer, who was asked by Khosrowshahi to resign, according to Bloomberg. Sullivan had previously worked at Facebook.
One of Sullivan’s direct reports, a lawyer named Craig Clark, was fired, according to the report.
In the hours since Bloomberg first published its report, New York State Attorney General Eric Schneiderman has opened up an investigation into how Uber handled the hack, Tech Crunch reports.
This news comes at the end of a rocky year for the company that included several high-level deparatures following reports that the company culture was toxic and allegations of sexism. Kalanick, who cofounded the company in 2009, resigned as CEO in June, though the strife continued as Uber’s board of directors battled over who would come in to replace him.