Uber concealed a massive cyberattack that affected 57 million customers and drivers around the world after paying a ransom to hackers, the company has confirmed.
The ride-hailing app confirmed that in October 2016, a breach was hidden by the company, which then paid hackers $100,000 (£75,000) to delete the data.
It was reported that the company sacked Joe Sullivan, chief security officer, and one of his deputies for their roles in keeping the hack secret.
Bloomberg News, which first broke the story, said that the breach had compromised the names, email addresses and phone numbers of 50 million Uber riders around the world.
The personal information of about seven million drivers were also accessed, as was 600,000 US driver’s licence numbers.
Travis Kalanick, the company’s former chief executive, also knew about the breach over a year ago, Bloomberg added.
The multi-billion dollar company said it believes the information was never used by the hackers and declined to disclose the identities of those who conducted the hack.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” Uber’s new chief executive Dara Khosrowshahi said according to the BBC.
Uber added in a statement: “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals.
“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures.”
Khosrowshahi, who joined Uber in September, added: “You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.”
The company has faced scrutiny over allegations of sexual harassment made earlier this year by ex-Uber engineer Susan Fowler who detailed her experiences in a blog post titled “Reflecting on One Very, Very Strange Year at Uber”.
The company was also stripped of its licence to operate in London by the regulator Transport for London (TfL) after being deemed “not fit and proper” to hold a private hire operator licence.
Uber now says they have a legal obligation to report the hack to regulators and to drivers whose license numbers were taken.