Hackers Stole Data From 57 Million Uber Drivers and Customers, Uber Paid $100K to Hide Attack

[MacRumors]

Uber suffered a massive data breach last year that exposed the personal data of 57 million customers and drivers, reports Bloomberg. The attack occurred in October of 2016 and included personal information from 50 million Uber riders and 7 million Uber drivers.

Two hackers reportedly accessed a private GitHub repository used by Uber's software engineers and then used those credentials to breach an Amazon Web Services account that contained an archive of rider and driver information.

Email addresses and phone numbers were stolen from riders, while hackers were able to obtain email addresses, phone numbers, and driver's license numbers from drivers. Uber says social security numbers and trip location data were not accessed in the attack.

Rather than disclosing the attack when Uber learned of it in November of 2016, the company instead paid hackers $100,000 to delete the data and keep quiet about the breach. Uber did not disclose the identity of the hackers, but did say it believes the information was not used or otherwise sold.

Uber's new CEO, Dara Khosrowshahi, says the attack and the coverup should not have happened, and that Uber is "changing the way we do business." Khosrowshahi says he is aiming to change the way Uber operates, and as part of that effort, Uber informed the FTC and attorney general about the attack this morning.

"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," Khosrowshahi said. "We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."

Uber's efforts to conceal the hack were led by chief security officer Joe Sullivan, who has been ousted from the company. Uber also let go of Craig Clark, a senior lawyer who worked with Sullivan.

In light of the attack, Uber has hired Matt Olsen, who previously served as general counsel at the National Security Agency. Uber says Olsen will help the company restructure its security teams.

Article Link: Hackers Stole Data From 57 Million Uber Drivers and Customers, Uber Paid $100K to Hide Attack

 

[Mansu944]

I am deleting my account right now...

 

[Solomani]

This is very up-Lyfting news!

 

[Lerxt]

Another nail in the coffin for Uber for me. As soon as a decent competitor arrives where I live, I’m bailing out.

 

[69Mustang]

[whole bunch of expletives] Uber!

 

[826317]

Uber is just not a nice company.

 

[Robert.Walter]

Did they disclose because it was leaking out?

 

[dannyyankou]

The will be the last straw for many people who have Lyft as an alternative. PR nightmare.

 

[just.jon]

Uber needs to go, now. The Justice Department needs to be looking hard at them for a handful of reasons.

 

[garirry]

Jesus christ first the net neutrality thing and now this... what a day.

 

[The Game 161]

what customer data though? numbers? as surely people just pay via cash?

 

[nabeel24]

How shady is this company...

 

[now i see it]

All the hackers got were names and email addresses (of riders). Big deal.

 

[Watabou]

Uber's efforts to conceal the hack were led by chief security officer Joe Sullivan, who has been ousted from the company. Uber also let go of Craig Clark, a senior lawyer who worked with Sullivan.

The blame doesn’t just lie with those two. How did the rest of Uber’s upper management not notice why they paid $100K?

 

[Packers1958]

Yea, I really believe the hackers deleted the info after getting paid, because you can always take the word of a criminal.
[doublepost=1511304732][/doublepost]

The blame doesn’t just lie with those two. How did the rest of the company upper management not notice why they paid $100 million?

$100,000 not 100 million.

 

[dannyyankou]

All the hackers got were names and email addresses (of riders). Big deal.

Sure, but you're not going to defend Uber paying the hackers $100k to hide it are you? It's as shady as it gets. If they were upfront and honest about the hack I might have forgiven them.

 

[Contra1971]

I see a law suit against Uber for this in the near future

 

[DevNull0]

All these companies see security as a cost that has no return. So it's where they think they can cut corners.

 

[Doctor Q]

Can you trust hackers not to use (i.e, sell) the data they stole, even if you pay them? If they take your data, take your money, AND use the data, should you take them to court or offer them more money?

Note to self: Perhaps it's not a great idea to store your internal passwords in your GitHub account.

 

[scottcampbell]

All the hackers got were names and email addresses (of riders). Big deal.

What's your name and email address?

 

[blacktape242]

oh god....its like the govt. paying all those people off who were sexually abused.....disgusting all the way around!

 

[kdarling]

Sure, but you're not going to defend Uber paying the hackers $100k to hide it are you? It's as shady as it gets. If they were upfront and honest about the hack I might have forgiven them.

If Uber hadn't paid, then the hackers would've sold the info to people up to no good.

Which would you prefer? Lots of publicity with your info sold, or no publicity and your info safe?

 

[kildraik]

Uber is as shady as most of their drivers. Astonishing, yet unsurprising given their history.

 

[patent10021]

Unfortunately I think Uber will soon be operating in Vancouver, Canada. I'd much rather see Didi, Grab or Lyft in Vancouver than Uber. Didi drivers and company are awesome.

 

[Rudy69]

If Uber hadn't paid, then the hackers would've sold the info to people up to no good.

Which would you prefer? Lots of publicity with your info sold, or no publicity and your info safe?

How do you know it won't be sold in the future? (If it hasn't already)