Last fall, Uber was the target of a massive data breach in which hackers stole the personal information of 57 million people—both users of the ride-hailing service and its drivers alike—and the company hid the breach from the public as it tried to pay the hackers to delete the information they stole.
The information stolen in the October 2016 breach included the names, email addresses and phone numbers of 50 million Uber riders around the world, Uber told Bloomberg on Tuesday. In addition, the information of 7 million drivers was compromised, including 600,000 U.S. driver’s license numbers. The company claims that no Social Security numbers, credit card information, trip-location details or other data were taken.
When the breach happened, Uber was already negotiating with U.S. regulators separate claims of privacy violations. Instead of reporting the new breach to regulators, the company paid the hackers $100,000 to delete the data and keep the breach quiet.
In the wake of these revelations, Uber on Tuesday ousted Chief Security Officer Joe Sullivan and Craig Clark—a senior lawyer who reported to Sullivan—for their roles in keeping the hack under wraps.
Dara Khosrowshahi, who took over as Uber CEO in September, told Bloomberg in an emailed statement: “None of this should have happened, and I will not make excuses for it. We are changing the way we do business.”
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.
In taking steps to correct the problem, the company has hired former National Security Agency general counsel and National Counterterrorism Center director Matt Olsen as an adviser to help restructure Uber’s security teams. The company has also hired cybersecurity firm Mandiant to investigate the hack.
In addition, the company has released a statement on its website addressing both customers and drivers about the incident.
Read more at Bloomberg.