The two people behind a 2016 data breach at Uber Technologies Inc were found to be in Canada and Florida, an Uber cyber security executive told the U.S. Congress on Tuesday.
About 25 million users affected by the breach are users located in the United States, John Flynn, chief information security officer at Uber, said in written testimony to a Senate Commerce Committee panel. Uber announced the breach of 57 million worldwide users last November.
Of those impacted in the United States, 4.1 million were drivers, according to the testimony.
The testimony from Flynn is the most comprehensive public account to date of the Uber hack, the handling of which prompted newly appointed Uber Chief Executive Dara Khosrowshahi to fire two of the company’s top security officials.
Reuters reported in December that a 20-year-old man was primarily behind the massive data breach, and that he was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities.
WATCH: Uber reveals it was the victim of a hack
Flynn confirmed the man who obtained data from Uber was in Florida and that his partner, who first contacted the company on Nov. 14, 2016, to demand a six-figure payment, was located in Canada. The company’s security team made contact with both people and received assurances the pilfered data had been destroyed before paying the intruders $100,000, Flynn said.
Uber has received criticism for its handling of the breach, and lawmakers in both parties on Tuesday piled on with several admonishments.
“The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” Republican Jerry Moran said.
Flynn repeatedly acknowledged Uber had made mistakes and that it should not have not used the company’s bug bounty service – designed to reward security researchers who report flaws found in a company’s software – to negotiate with a hacker seeking to extort money.
“We made a misstep in not reporting to consumers, and we made a misstep in not reporting to law enforcement,” he said.
The compromised data included names, phone numbers and email addresses but not Social Security numbers or credit card information. The driver’s license numbers of 600,000 drivers were also compromised.