Uber paid hackers to hide 57m-user breach

22 Nov 2017

Uber app. Image: Mrmohock/Shutterstock

Uber has fired its CSO as details of a major data breach and corporate cover-up emerge.

Uber covered up a massive hack that exposed the data of 57m customers and drivers. Not only that, but the firm paid hackers $100,000 to delete data and keep the breach quiet.

It has emerged that the chief security officer (CSO) of Uber, Joe Sullivan, has been fired for his part in concealing the breach that occurred in October 2016.

‘At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals’
– DARA KHOSROWSHAHI

As well as customer data, hackers stole names, email addresses and phone numbers as well as the names and licence numbers of 7m drivers worldwide, including around 600,00 in the US.

Location data, credit card numbers, bank account numbers, social security numbers and birth dates were not exposed in the breach, which was first reported by Bloomberg.

Uber was held to ransom

“None of this should have happened, and I will not make excuses for it,” Uber chief executive Dara Khosrowshahi said in a statement.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

The breach is understood to have occurred while Uber was in negotiations with US regulators over separate privacy violations.

Following Uber’s disclosure, the attorney general of New York, Eric Schneiderman, has launched an investigation into the hack. Uber was fined $20,000 by Schneiderman in 2016 for failing to disclose an earlier data breach in 2014.

While this incident is dwarfed by breaches at Yahoo, Target, Anthem and Equifax, it is the measures that Uber took to hide the attack that are causing the most surprise.

The hack, which previous CEO Travis Kalanick had learned about a month after it occurred in 2016, only came to light after an outside law firm that was commissioned to investigate Sullivan’s security team discovered what had happened.

It is understood that the hackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they found there to access data stored on an Amazon Web Services account. This enabled them to discover an archive of rider and driver information. The hackers then contacted Uber, offering the return or destruction of the data for a ransom.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals,” Khosrowshahi said.

“We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

For such a young company, Uber has found itself in a world of trouble, including sexual harassment scandals that toppled the leadership team earlier this year. The company is undergoing at least five criminal probes spanning bribes, illicit software, pricing schemes and the theft of IP.

Uber app. Image: Mrmohock/Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com