Uber paid hackers $100,000 to keep data breach quiet

What's worse than being hacked? Covering up a hack.

Uber paid hackers $100,000 to keep data breach quiet

Bloomberg reports on what seems to be a security scandal at Uber.

The ride-sharing firm concealed the theft of personal information related to 57 million customers and drivers, and rather than inform the concerned parties “paid hackers $100,000 to delete the data and keep the breach quiet.”

The hack which Uber says is said to have happened in October 2016, and included the names, email addresses and phone numbers of 50 million Uber customers across the globe.

Bloomberg has the skinny on how the hack occurred, and it doesn’t portray Uber in a good light, being the latest example of careless developers leaving internal login passwords lying around online:

Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

Joe Sullivan, Uber’s chief security officer (and at one time the main security honcho at Facebook), spearheaded the company’s response to the breach alongside one other employee. Both are said to have left their positions at Uber this week.

Dara Khosrowshahi, who took over as CEO of Uber in September, has blogged saying “None of this should have happened, and I will not make excuses for it.”

No doubt regulators will also be asking tough questions about why it wasn’t informed about the breach until this week.

Uber says it has “not seen evidence of fraud or misuse tied to the incident.” Let’s hope that they are right, but I can certainly imagine ways in which the information could be abused by criminals without Uber ever becoming aware.

All companies would be wise to remember this: cock-ups are bad, but cover-ups can kill you.

You can ask forgiveness for being hacked, but many people will find it harder to forgive and forget if you deliberately concealed the truth from them.

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

Listen on Apple Podcasts | Google Podcasts | Other… | RSS

Tags: ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts


2 Responses

  1. Jim

    November 23, 2017 at 2:09 pm #

    …delete the data .…”, how does Uber know the data was deleted?

    • AJC in reply to Jim.

      November 25, 2017 at 7:39 pm #

      The hackers are honourable people: they would never lie!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.