Uber paid hackers $100,000 to keep data breach quiet

What’s worse than being hacked? Covering up a hack.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Uber paid hackers $100,000 to keep data breach quiet

Bloomberg reports on what seems to be a security scandal at Uber.

The ride-sharing firm concealed the theft of personal information related to 57 million customers and drivers, and rather than inform the concerned parties “paid hackers $100,000 to delete the data and keep the breach quiet.”

The hack which Uber says is said to have happened in October 2016, and included the names, email addresses and phone numbers of 50 million Uber customers across the globe.

Sign up to our free newsletter.
Security news, advice, and tips.

Bloomberg has the skinny on how the hack occurred, and it doesn’t portray Uber in a good light, being the latest example of careless developers leaving internal login passwords lying around online:

Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

Joe Sullivan, Uber’s chief security officer (and at one time the main security honcho at Facebook), spearheaded the company’s response to the breach alongside one other employee. Both are said to have left their positions at Uber this week.

Dara Khosrowshahi, who took over as CEO of Uber in September, has blogged saying “None of this should have happened, and I will not make excuses for it.”

No doubt regulators will also be asking tough questions about why it wasn’t informed about the breach until this week.

Uber says it has “not seen evidence of fraud or misuse tied to the incident.” Let’s hope that they are right, but I can certainly imagine ways in which the information could be abused by criminals without Uber ever becoming aware.

All companies would be wise to remember this: cock-ups are bad, but cover-ups can kill you.

You can ask forgiveness for being hacked, but many people will find it harder to forgive and forget if you deliberately concealed the truth from them.

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

Smashing Security #055: 'Uber, net neutrality, and website hacks'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Uber paid hackers $100,000 to keep data breach quiet”

  1. Jim

    "…delete the data ….", how does Uber know the data was deleted?

    1. AJC · in reply to Jim

      The hackers are honourable people: they would never lie!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.