SAN FRANCISCO – Uber, the real-time ridesharing company in which drivers use their own cars to transport customers, said Tuesday that there was a significant data breach in 2016 that affected 57 million users and drivers.
CEO Dara Khosrowshahi said two people outside the company accessed user data stored on a third-party cloud-based service that the company uses. He said the incident did not breach the company’s corporate systems or infrastructure.
As of Tuesday, forensics experts do not have reason to believe that information such as trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.
However, the experts did say, however, that the unauthorized users were able to download and access other information, including:
- The names and driver’s license numbers of around 600,000 drivers in the United States and
- Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers.
Khosrowshahi said Uber “took immediate steps to secure the data and shut down further unauthorized access,” making sure to identify the people responsible and obtain assurances that the downloaded data was destroyed.
In a preemptive response to questions of why this issue is just now being made known, Khosrowshahi said that he “had the same question” and has taken several actions to correct the misstep, including:
- Individually notifying drivers whose driver’s license numbers were downloaded
- Providing affected drivers with free credit monitoring and identity theft protection
- Monitoring the affected accounts and flagging them for additional fraud protection.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”