×

Uber hid a hack that exposed data of 57 million users and drivers for more than a year

  • Hackers stole data from 57 million Uber users and drivers in 2016.
  • The hackers stole names and driver's license numbers of around 600,000 drivers in the U.S., as well as rider names, email addresses and mobile phone numbers.
  • The company paid hackers $100,000 to delete the data and keep the breach quiet, and did not report the breach.

Hackers stole data from 57 million Uber users and drivers, a breach that the company concealed for more than a year.

Uber released a statement on the 2016 attack and published resources for riders and drivers. According to the statement, the hack was performed by two people on a third-party cloud service.

The statement said the hackers stole personal information from 57 million Uber users around the world, including names and driver's license numbers of around 600,000 drivers in the U.S., rider names, email addresses and mobile phone numbers.

Location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth do not appear to have been stolen, Uber said. Affected drivers will get free credit monitoring and identity theft protection.

"None of this should have happened, and I will not make excuses for it," CEO Dara Khosrowshahi said in the statement. Khosrowshahi was not with the company at the time of the hack attack, having joined as CEO just this fall.

The company paid hackers $100,000 to delete the data and keep the breach quiet, and did not report the incident. The ride-hailing company said it has fired chief security officer Joe Sullivan — previously security boss at Facebook — for his role in hiding the data breach.

"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures," Uber said in a statement. It did not address the payment.

New York Attorney General Eric Schneiderman launched an investigation into the hack, according to press secretary Amy Spitalnick.

Earlier this year, Uber agreed to 20 years of privacy audits after the FTC said the ride-hailing service had "failed consumers" after a 2014 data breach.

In that case, the FTC said: "Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data."

The data breaches, while small in comparison to Yahoo's 3 billion-account cyberattack, is the latest of several missteps within the ride-hailing giant. The company has fielded scrutiny over allegations of sexual harassment and workplace misconduct, has lost numerous executives amid dissent within the board of directors, and has sparred with regulators from London to Singapore.

Former CEO Travis Kalanick knew about the 2016 hack.

"You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it," Khosrowshahi said of the breach.

Bloomberg and The New York Times previously reported details of the data breach.

— CNBC's Paayal Zaveri contributed to this report.

WATCH: Data stolen from Uber drivers and passengers