Bloomberg reports on what seems to be a security scandal at Uber.
The ride-sharing firm concealed the theft of personal information related to 57 million customers and drivers, and rather than inform the concerned parties “paid hackers $100,000 to delete the data and keep the breach quiet.”
The hack which Uber says is said to have happened in October 2016, and included the names, email addresses and phone numbers of 50 million Uber customers across the globe.
Bloomberg has the skinny on how the hack occurred, and it doesn’t portray Uber in a good light, being the latest example of careless developers leaving internal login passwords lying around online:
Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
Joe Sullivan, Uber’s chief security officer (and at one time the main security honcho at Facebook), spearheaded the company’s response to the breach alongside one other employee. Both are said to have left their positions at Uber this week.
Dara Khosrowshahi, who took over as CEO of Uber in September, has blogged saying “None of this should have happened, and I will not make excuses for it.”
No doubt regulators will also be asking tough questions about why it wasn’t informed about the breach until this week.
Uber says it has “not seen evidence of fraud or misuse tied to the incident.” Let’s hope that they are right, but I can certainly imagine ways in which the information could be abused by criminals without Uber ever becoming aware.
All companies would be wise to remember this: cock-ups are bad, but cover-ups can kill you.
You can ask forgiveness for being hacked, but many people will find it harder to forgive and forget if you deliberately concealed the truth from them.
For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast: