You may have heard by now that Uber, the ride-sharing company, was hacked last year. It was a data breach that involved the personal information of 57 million users and drivers including names, phone numbers, and email addresses. To make matters worse, Uber didn’t tell anybody about the data breach.
The company has taken a number of hits over the last few years, from sexual harassment allegations to shady business dealings. Failing to disclose their massive data breach to regulators hasn’t done much to help their image.
The hackers took a fairly obvious route to getting the data. They discovered the access to Uber’s GitHub account, where they found the login credentials to Uber’s Amazon cloud server. GitHub is a website where developers store code, and it’s not uncommon for all kinds of usernames and passwords to be stored there. It is, sadly, a pretty common and easily preventable mistake.
Once Uber discovered that hackers had 57 million records, they decided to make a $100,000 payment for the hackers to destroy the data instead of alerting authorities, despite being required to do so in most states, including California, where Uber has its headquarters. In addition to facing fines from the FTC, agencies in other countries are looking into taking action against the company.