Uber Covered Up 2016 Data Breach

Uber is facing yet another crisis.

This time, the ride-hailing service has admitted failing to disclose (and ultimately covering up) a massive cyberattack that exposed the personal data of 57 million users last year.

Uber CEO Dara Khosrowshahi issued a statement Tuesday confirming the company first learned about the October 2016 breach late last year.

"I recently learned that in late 2016, we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use," said Khosrowshahi.

MORE Impacting Travel

Coronavirus Outbreak Could Impact Tourism Into 2021

Winter Weather Forces Flight Delays, Cancellations Across US

Congress Proposes Trusted Traveler REAL ID Relief Act

Uber said there has been no evidence that trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth were compromised. However, the cybercriminals did obtain the names and driver's license numbers of approximately 600,000 drivers in the U.S. along with the names, email addresses and mobile phone numbers of some 57 million riders and drivers from around the world.

According to Bloomberg, Uber paid the hackers $100,000 to delete the data and keep the breach quiet.

"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," added Khosrowshahi. "We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."

Former Uber CEO Travis Kalanick, who resigned from his post amid multiple scandals in June, was made aware of the hack one month after it occurred. The company's then chief security officer Joe Sullivan and another executive are also alleged to have participated in the coverup. Both have been ousted.

In addition to the firings, Khosrowshahi said Uber has taken other actions since learning of the attack, including notifying drivers whose license numbers were downloaded and providing them with free credit monitoring and identity theft protection.

Uber is also monitoring the affected accounts for potential fraud and has tapped former National Security Agency (NSA) lawyer Matt Olsen as an adviser to assist with efforts moving forward.

READ MORE: Uber Takes Another Hit in UK

"None of this should have happened and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers," Khosrowshahi concluded.

Bloomberg reported New York Attorney General Eric Schneiderman has already launched an investigation into the breach and a user seeking class-action status has since sued Uber for negligence in Los Angeles.

Although Uber has been on the cutting-edge of travel technology with efforts to introduce self-driving cars and flying taxis, the company has a checkered past when it comes to adhering to regulations. The ride-hailing service reached a $20 million settlement with the Federal Trade Commission (FTC) over claims it misled drivers earlier this year and is currently appealing to have its license reinstated in London.

Follow @_Pat_Clarke