Uber said there is no evidence that hackers accessed user credit card, bank account or Social Security numbers during a data breach that occurred last year.
According to Fox Business, Uber revealed the update in a letter to U.S. senators who demanded information on the hack. A cybersecurity firm hired to investigate the hack did find that in some cases, the hackers got location information from the places where people signed up for the ride-sharing service, as well as heavily encoded versions of user passwords.
Last month, Uber disclosed that names, email addresses and mobile phone numbers of 57 million drivers and riders had been stolen in October of 2016. In a letter to four Republican senators, the company says that Mandiant, the security firm, found that 32 million of those are outside the U.S. and 25 million are within the country. Of the total, 7.7 million are drivers, mostly in the U.S., and the drivers’ license numbers for 600,000 of them were exposed.
Uber also said it has not seen evidence of fraud or misuse of data taken in the breach, which wasn’t revealed to the public until one year later. Two employees were fired for not disclosing the theft to “appropriate parties.”
The hackers emailed Uber’s U.S. security team anonymously on Nov. 14, 2016, telling them about the breach and demanding a payment. Uber tracked down the breach in private cloud data stored on Amazon’s web services and shut down access, which came through a “compromised credential,” the letter said.
The security team paid the hackers $100,000, and was able to track down their real names. Both hackers signed documents assuring that the stolen data was destroyed. Team members found that the hackers first gained access on Oct. 13, 2016, and there was no further access after Nov. 15, 2016.
“None of this should have happened, and I will not make excuses for it,” Uber CEO Dara Khosrowshahi said in a blog post. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Uber announced last month that it has retained Matt Olsen, the former general counsel of the National Security Agency, to aid in an internal restructuring of its cybersecurity response teams. Uber also agreed earlier this year to undergo 20 years of outside audits of its cybersecurity protocols in response to another incident in 2014.
In addition, Uber installed additional protections to stop hackers, including a two-step authentication for one of the services that was hacked, the letter said.