Uber suffered a breach in October 2016, which resulted in the compromise of sensitive information of some 57 million users and drivers, and paid off the hackers to keep mum about it.
According to a statement by current Uber CEO Dara Khosrowshahi, the stolen data included names, email addresses and mobile phone numbers of users and drivers around the world, as well as driver’s license numbers of around 600,000 drivers in the United States.
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were downloaded,” he said.
The company paid the two hackers $100,000 to destroy the stolen data and to keep quiet about the hack.
Given that the hack is only now coming to light, it seems that they have kept that part of their bargain, but there’s effectively no way to prove that they’ve actually deleted the data. They could be keeping it to repeat their ransom request at a later date, or they’ve might already quietly sold it or used it.
“Paying hackers to be quiet is not a common tactic. It’s certainly under represented because people generally aren’t going to tell the world that they’re doing it,” notes Vincent Weafer, VP of Labs, McAfee.
“But, if we look at ransomware, a more common example of people paying criminals, we know that there’s a high percentage of cases where paying does not result in data being restored. You’re essentially relying on the integrity of criminals, and the wisdom or value of that is obviously debatable.”
How did the hackers manage to get their hands on the data?
According to Bloomberg, the attackers accessed an insecure private Github repository used by Uber software engineers, scoured the code for sensitive info, found login credentials, and used them to access data stored on a company Amazon Web Services account.
Zohar Alon, co-founder and CEO, Dome9, says that this type of user error is inexplicable for an organization as large as Uber.
“There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys. This is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub,” he noted.
“Relying on a developer or administrator to follow best practices is foolhardy at scale and the errors seem to be more egregious each and every time a breach makes the headlines.”
Why was the breach not disclosed at the time?
Apparently, the breach happened around the time the company was negotiating with the Federal Trade Commission on a privacy settlement regarding a breach that happened in 2014 and wasn’t properly disclosed. Before that, in January 2016, the New York attorney general fined Uber $20,000 for its failure to disclose that breach.
Allegedly, Uber’s Chief Security Officer Joe Sullivan and his top aide were the ones who decided to pay off the hackers and Travis Kalanick, Uber’s co-founder and CEO at the time, found out about the hack in November 2016, a month after it took place.
Kalanick was forced to resign as the CEO in June 2017 due to allegations that he failed to do anything about the sexual harassment rampant at Uber. Sullivan, a former US Federal Prosecutor who joined Uber in 2015 from Facebook, has now been fired, along with another individual “who led the response to this incident.”
Uber has long had the image of a company that does not care about rules, regulations or ethics in its quest to become the most widespread ride-hailing company. With this latest revelation, Khosrowshahi is trying to change it.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers,” he said.
Will the company face repercussions?
It depends on how regulators and users react.
As we’ve seen before, the fines that the company had to pay because it didn’t disclose a previous breach were pitifully small or non-existent. Other infractions were also sanctioned in ways that obviously didn’t affect the company much, or made the ones in charge decide to change tack. It remains to be seen if Khosrowshahi will keep this latest promise and finally do that.
Also, as Dissent Doe put it, “let’s see if ousting an employee or two will be enough to appease the regulatory gods of commerce, or if the firm will still get a massive smackdown from either the FTC, state attorneys general, or both.”
Users and drivers, on the other hand, could stop using the ride-hailing service and make their feelings known that way. Still, it’s doubtful that a massive enough exodus can happen to affect the company in the long term, as they offer a service that has no good enough (read: cheap enough) counterpart in many places where it operates.
“Ride sharing has exploded, and cybercriminals know that companies like Uber collect sensitive data, including credit card details and other personal information about drivers and customers,” noted Gary Davis, Chief Consumer Security Evangelist, McAfee.
“This cyberattack illustrates the growing trend to target companies whose rapid growth has strained their ability to properly safeguard sensitive data. While Uber has indicated the stolen information was mostly limited to names, email addresses and phone numbers, as well as license numbers from some of its drivers, it’s better to be safe than sorry. If you’re an Uber customer or driver you should change your password immediately, monitor your credit card statement for suspicious activity, and beware of scammers who may try to exploit this attack, especially as we move into the holiday season.”