TORONTO — One of the hackers involved in stealing data connected to 57 million Uber users in 2016 was located in Canada.
The ride-hailing company revealed the hacker reached out to the company in November 2016, asking for a "six-figure payment," but it was an accomplice in Florida, who it believes actually obtained the stolen data, which included names, email addresses and mobile phone numbers.
The revelations are part of a statement the company's chief information security officer John Flynn made to a U.S. subcommittee handling consumer protection and data security on Tuesday.
They offer a glimpse into a chapter of Uber's history that has been mired in controversy since the company admitted it tried to cover up the breach for more than a year by paying the hackers $100,000 to destroy the information.
"It was wrong not to disclose the breach earlier," Flynn admitted Tuesday. "The company is taking steps to ensure that an incident like this does not happen again, with personnel changes and additional remedial actions."
In the wake of the scandal, the company fired chief and deputy security officers and faced a formal investigation from the federal privacy commission.
Flynn did not say how many Canadians were affected by the breach, but said approximately 25 million Americans were impacted.
For nearly all users, the downloaded files included names, email addresses and phone numbers, but Uber has yet to find any proof that trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were compromised.
Flynn said the hackers first made contact by sending emails to Uber's security team, which investigated and found that someone working with the hacker had obtained access to archived copies of Uber databases and files located on its private cloud storage system on Amazon Web Services.
The hackers gained access to the system with a "credential contained within code on a private repository for Uber engineers on GitHub, which is a third party site that allows people to collaborate on code," Flynn said. Flynn said Uber ceased using GitHub, except for open-source code, and locked down the entry point within 24 hours.
To his knowledge, the intruders started to access the data on Oct. 13, 2016 and didn't access it again after November 15, 2016.