优步5700万用户数据被黑客窃取 曾支付10万美元封口费
Uber Technologies Inc. paid hackers $100,000 to keep secret a massive breach last year that exposed the personal information of about 57 million accounts of the ride-service provider, the company said on Tuesday. Discovery of the cover-up resulted in the firing of two employees responsible for its response to the hack, said Dara Khosrowshahi, who replaced co-founder Travis Kalanick as CEO in August. "None of this should have happened and I will not make excuses for it," Khosrowshahi said in a blog post. The breach occurred in October 2016 but Khosrowshahi said he had only recently learned of it. The stolen information included names, email addresses and mobile phone numbers of Uber users around the world and the names and license numbers of 600,000 US drivers, Khosrowshahi said. Uber passengers need not worry as there was no evidence of fraud, while drivers whose license numbers had been stolen would be offered free identity theft protection and credit monitoring, Uber said. Bloomberg News first reported the data breach on Tuesday. Khosrowshahi said Uber had begun notifying regulators. The New York attorney general has opened an investigation, a spokeswoman said. Regulators in Australia and the Philippines said on Wednesday they would look into the matter. Uber said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week because of their role in the handling of the incident. Sullivan, formerly the top security official at Facebook Inc and a federal prosecutor, served as both security chief and deputy general counsel for Uber. Kalanick learned of the breach in November 2016, a month after it took place, a source familiar with the matter told Reuters. At the time, the company was negotiating with the US Federal Trade Commission over the handling of consumer data. A board committee had investigated the breach and concluded that neither Kalanick nor Salle Yoo, Uber’s general counsel at the time, were involved in the cover-up, another person familiar with the issue said. The person did not say when the investigation took place. Uber said on Tuesday it was obliged to report the theft of the drivers’ license information and had failed to do so. Kalanick, through a spokesman, declined to comment. The former CEO remains on the Uber board of directors, and Khosrowshahi has said he consults with him regularly. Although payments to hackers are rarely publicly discussed, US Federal Bureau of Investigation officials and private security companies have told Reuters that an increasing number of companies are paying criminal hackers to recover stolen data. “The economics of being a bad guy on the internet today are incredibly favorable,” said Oren Falkowitz, co-founder of California-based cyber security company Area 1 Security. Uber has a history of failing to protect driver and passenger data. Hackers previously stole information about Uber drivers and the company acknowledged in 2014 that its employees had used a software tool called “God View” to track passengers. Khosrowshahi said on Tuesday he had hired Matt Olsen, former general counsel of the US National Security Agency, to restructure the company’s security teams and processes. The company also hired Mandiant, a cybersecurity firm owned by FireEye Inc, to investigate the breach. |