Connect with us

Uber Hid 2016 Breach, Paying Hackers to Delete Stolen Data

Business

Uber Hid 2016 Breach, Paying Hackers to Delete Stolen Data

SAN FRANCISCO — Uber disclosed Tuesday that hackers had stolen 57 million driver and rider accounts and that the company had kept the data breach secret for more than a year after paying a $100,000 ransom.

The deal was arranged by the company’s chief security officer and under the watch of the former chief executive, Travis Kalanick, according to several current and former employees who spoke on the condition of anonymity because the details were private.

The security officer, Joe Sullivan, has been fired. Mr. Kalanick was forced out in June, although he remains on Uber’s board.

The two hackers stole data about the company’s riders and drivers — including phone numbers, email addresses and names — from a third-party server and then approached Uber and demanded $100,000 to delete their copy of the data, the employees said.

Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.

The breach at Uber is far from the most serious exposure of sensitive customer information. The two breaches that Yahoo announced in 2016 eclipse Uber’s in size, and an attack disclosed in September by Equifax, the consumer credit reporting agency, exposed a far deeper trove of personal information for a far larger group of people.

But the handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws. The New York attorney general’s office said on Tuesday that it had opened an investigation into the matter.

You May Also Like:  Three men plead guilty in case of cyber-attack that paralyzed internet in 2016

Dara Khosrowshahi, who was chosen to be chief executive of Uber in late August, said he had only recently learned of the breach.

“None of this should have happened, and I will not make excuses for it,” Mr. Khosrowshahi said in a company blog post. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

A spokeswoman for Mr. Kalanick declined to comment.

The revelation of the breach and the way it was kept quiet renewed questions about the tenure of Mr. Kalanick, who has faced criticism over his management style and practices after Uber came under scrutiny for its workplace culture this year. The New York Times also reported on a secret program called Greyball that had been undertaken on Mr. Kalanick’s watch, in which Uber staff members surveilled law enforcement officials in order to evade them. Since his exit as chief executive, he has been sued by one of Uber’s earlier investors for fraud.

The breach is also a black mark for Mr. Sullivan, who was a prominent figure in the information security industry. Mr. Sullivan joined Uber as the company’s first chief security officer in 2015, after serving as the head of security at Facebook for seven years.

Unlike many cybersecurity executives, Mr. Sullivan was previously a lawyer and had studied cyberlaw at the University of Miami. He began his career in the technology industry as a federal prosecutor during the tech boom of the late 1990s, working at companies including eBay in 2002, where he was head of trust and safety.

You May Also Like:  Katherine Jackson resigns as Blanket Jackson's co-guardian

Mr. Sullivan’s decision to join Uber was seen as a win for the company. As Uber’s ranks of drivers and riders had grown, people in and outside the company became worried about privacy and security. Uber had faced complaints about driver and rider assaults, as well as allegations that it was not doing enough to protect rider data. Mr. Sullivan was tasked with keeping drivers and riders safe.

The other Uber employee who was fired alongside Mr. Sullivan was Craig Clark, the company’s legal director of security and law enforcement. Neither Mr. Sullivan nor Mr. Clark responded to requests for comment.

The company’s decision to conceal the breach and pay the ransom quickly raised questions among security experts. Many have repeatedly warned companies against paying hackers a ransom to cover up breaches or return stolen data, advice that was included in a 2016 statement from the F.B.I. And several states including California have laws mandating that companies disclose when they are breached by hackers.

“Companies are funding organized crime, an industry of criminals is being created,” said Kevin Beaumont, a cybersecurity expert based in Britain. “The good guys are creating a market for the bad guys. We’re enabling them to monetize what years ago would have been teenagers in bedrooms breaching companies for fun.”

Uber has experienced breaches before. The company was hit with a data breach in May 2014, an event Uber discovered later that year and disclosed in February 2015. In that attack, the names and driver’s licenses of more than 50,000 of the company’s drivers were compromised.

You May Also Like:  Change Your Twitter Password Immediately, Bug Exposes Passwords in Plaintext

This latest breach puts Uber in another difficult situation just as the company is working to repair its battered image and preparing to seek an initial public offering in 2019. Mr. Khosrowshahi has characterized his tenure at the company as “Uber 2.0.” As part of that, he has tossed out the aggressive corporate values that were prized by Mr. Kalanick and given the ride-hailing service a new list of values that includes “doing the right thing. Period.”

Uber has hired Matt Olsen, former general counsel at the National Security Agency, as an adviser, and has retained Mandiant, a security firm, to conduct an independent investigation of the security breach. Uber said Mr. Olsen planned to reorganize the company’s security team.

But the damage has already been done, and Uber officials are aware of the long road back to good standing with the public.

While it is not illegal to pay money to hackers, Uber may have violated several laws in its interaction with them.

By demanding that the hackers destroy the stolen data, Uber may have violated a Federal Trade Commission rule on breach disclosure that prohibits companies from destroying any forensic evidence in the course of their investigation.

The company may have also violated state breach disclosure laws by not disclosing the theft of Uber drivers’ stolen data. If the data stolen was not encrypted, Uber would have been required by California state law to disclose that driver’s license data from its drivers had been stolen in the course of the hacking.

An Uber spokesman declined to comment.

Continue Reading
Advertisement
You may also like...
14 Comments

14 Comments

  1. Pingback: multi accounts app:Top 5 Best Apps to Run Multiple Accounts

  2. Www.linux.net

    26/11/2017 at 2:06 am

    I do қnow!? Stated Larry. ?I bet he likes angels as a result of he
    has them around all the time. MayЬe he and the angels play familky video games like we dο sometіmes.
    Poѕsibly they play Monopoly.?This madе Mommy ϲhortle actually
    hard.

  3. http://www.linux.ca

    29/11/2017 at 2:32 pm

    You know wһat Pastor Johansson instructed ᥙus on Sunday is
    that God actually limes worship. Daddy added.

  4. small dog harness

    07/12/2017 at 8:39 am

    Thanks for such a good blog. Where else could anyone
    get that type of info written in such a great way?

    I have a presentation that I am presently writing on, and I have
    been on the look out for such great information. Pleased to find your site.

  5. large dog harness

    07/12/2017 at 8:48 am

    Appealing post, I am going to spend more time learning about this subject.

  6. www.3789789.Com

    07/12/2017 at 9:06 am

    I’m really empowered with your writing talent.
    Anyway maintain the superb high quality writing, it’s
    rare to see a fantastic blog like this nowadays.

  7. dog harness medium

    07/12/2017 at 9:38 am

    Outstanding post. I thank you for sharing it to us.
    I have learned a lot.

  8. boating marbella

    08/12/2017 at 7:37 pm

    Usually I do not read post on blogs, however I would like to say that this
    write-up very compelled me to try and do it! Your writing style has
    been amazed me. Thanks, quite nice post.

  9. crazy boat parties

    13/12/2017 at 4:35 pm

    Hey there this is kinda of off topic but I was wondering if
    blogs use WYSIWYG editors or if you have to manually code with HTML.
    I’m starting a blog soon but have no coding know-how so I wanted to get advice from someone with
    experience. Any help would be greatly appreciated!

    • richie007

      15/12/2017 at 7:12 am

      please inbox me on my contact form for help, thanks

  10. Real Estate Agents

    18/12/2017 at 1:50 am

    Write more, thats all I have to say. Literally, it
    seems as though you relied on the video to make your point.
    You clearly know what youre talking about, why waste your intelligence on just
    posting videos to your blog when you could be giving us something
    enlightening to read?

  11. Property Management MIjas Costa

    24/12/2017 at 2:36 am

    Everything is very open with a really clear clarification of the issues.
    It was truly informative. Your website is very helpful.
    Thanks for sharing!

    • richie007

      24/12/2017 at 10:47 am

      you welcome

  12. spain golden visa

    25/12/2017 at 10:23 am

    Excellent way of describing, and nice piece of writing to
    get information concerning my presentation topic, which i am going to deliver in academy.

Leave a Reply

Your email address will not be published. Required fields are marked *

More in Business

popular post

To Top
%d bloggers like this: