Uber paid hackers $100,000 to keep data breach quiet

Graham Cluley

Uber paid hackers $100,000 to keep data breach quiet

Uber paid hackers $100,000 to keep data breach quiet

Bloomberg reports on what seems to be a security scandal at Uber.

The ride-sharing firm concealed the theft of personal information related to 57 million customers and drivers, and rather than inform the concerned parties “paid hackers $100,000 to delete the data and keep the breach quiet.”

The hack which Uber says is said to have happened in October 2016, and included the names, email addresses and phone numbers of 50 million Uber customers across the globe.

Bloomberg has the skinny on how the hack occurred, and it doesn’t portray Uber in a good light, being the latest example of careless developers leaving internal login passwords lying around online:

Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

Joe Sullivan, Uber’s chief security officer (and at one time the main security honcho at Facebook), spearheaded the company’s response to the breach alongside one other employee. Both are said to have left their positions at Uber this week.

Dara Khosrowshahi, who took over as CEO of Uber in September, has blogged saying “None of this should have happened, and I will not make excuses for it.”

No doubt regulators will also be asking tough questions about why it wasn’t informed about the breach until this week.

Uber says it has “not seen evidence of fraud or misuse tied to the incident.” Let’s hope that they are right, but I can certainly imagine ways in which the information could be abused by criminals without Uber ever becoming aware.

All companies would be wise to remember this: cock-ups are bad, but cover-ups can kill you.

You can ask forgiveness for being hacked, but many people will find it harder to forgive and forget if you deliberately concealed the truth from them.

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

Smashing Security #055: 'Uber, net neutrality, and website hacks'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Uber paid hackers $100,000 to keep data breach quiet”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.