Uber Paid Hackers to Delete Stolen Data on 57 Million People

Nov 21 2017

Bloomberg and Reuters articles plus my comments

If you have used Uber before this Oct 2016 breach you may want to try and confirm what data was exposed and take appropriate steps if needed.

They are saying the attack included names, email addresses and phone numbers.

It is very concerning that the breach was not reported to regulators and users in the Countries affected initially as required. Their Chief Security Officer and another exec fired after it alleged they consealed the breach and paid off the hackers. Were they skate goats paid off to take the fall? The trend in serious wrongdoing and investigations is there.

How can they be certain the stolen data deleted? This is only encouraging more hacking.

British law carries a maximum penalty of 500,000 pounds ($662,000) for failing to notify users and regulators when data breaches and similar laws in many other countries.

Is there a balance they can find where there is an deterent but not encouraging concealing?

The Uber breach, while large, is dwarfed by those at Yahoo, MySpace, Target Corp., Anthem Inc. and Equifax Inc

The way this breach occured should be a warning to companies, software devolopers and others involved.

Two hackers gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on developing software code. There, the two people stole Uber’s credentials for a separate cloud-services provider where they were able to download driver and rider data. A GitHub spokesperson said their secuirty systems were not compromised.



Archive of Bloomberg article

Uber Paid Hackers to Delete Stolen Data on 57 Million People


Eric Newcomer

Updated on

  • Company paid hackers $100,000 to delete info, keep quiet

  • Chief Security Officer Joe Sullivan and another exec ousted

    Uber Paid Hackers to Keep Massive Cyberattack Quiet

    Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.

    Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

    At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

    Dara Khosrowshahi

    Photographer: Matthew Lloyd/Bloomberg

    “None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who took over as chief executive officer in September, said in an emailed statement. “We are changing the way we do business.”

    Read more: Uber Pushed the Limits of the Law. Now Comes the Reckoning

    After Uber’s disclosure Tuesday, New York Attorney General Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy Spitalnick said. The company was also sued for negligenceover the breach by a customer seeking class-action status.

    Hackers have successfully infiltrated numerous companies in recent years. The Uber breach, while large, is dwarfed by those at Yahoo, MySpace, Target Corp., Anthem Inc. and Equifax Inc. What’s more alarming are the extreme measures Uber took to hide the attack. The breach is the latest scandal Khosrowshahi inherits from his predecessor, Travis Kalanick.

    Read more: Gadfly’s Shira Ovide says Kalanick must speak

About Kevin Yaworski

I use my blog to write about things that I think are a matter of public interest or that I think others will be interested in
This entry was posted in Computers and Internet, justice, News and politics, Science & Technology and tagged , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s