Uber CEO Knew About Hacking Two Months Before Telling the Public, Report Says

The company wanted to know exactly how many people were affected before going public.

Hemant Mishra/Mint

Uber CEO Dara Khosrowshahi knew for about a week that a software vulnerability exposed the data of 57 million users well before the breach was made public, according to The Wall Street Journal. The paper says Khosrowshahi was informed two weeks after he took over as CEO Sept. 5, although the public didn't find out until last week.

Uber had its reasons for keeping the problem under wraps as long as it did, according to the report. Khosrowshahi ordered an investigation, and the company didn't want to make any information public until that investigation was completed, and the exact number of people affected was determined. The company also wanted to fire the two executives that covered up the data breach.

Potential Uber investor SoftBank was reportedly informed of the issue before the public, although Uber was not sure how many people were affected at the time. In a statement, the ride-hailing company said it had a "duty" to disclose that information to a potential investor ahead of the public disclosure.

Khosrowshahi said the breach occurred late in 2016 and involved two individuals outside the company accessing user data stored on a third-party cloud service. He said "outside forensics experts" had determined that no trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded, but that the names and license numbers of around 600,000 U.S. Uber drivers, and names, email addresses and, cell phone numbers of 57 million global users were accessed.

Bloomberg initially reported that Uber paid hackers $100,000 to delete stolen data and not report the breach. The company is now reportedly investigating how the incident was handled and why it was not immediately reported to customers and authorities. That's something regulators will probably be eager to find out.