Leaked All of Your Trips, Hookers, Infidelities, and EVERYTHING
naughty you did with Uber
paid hackers $100,000 to delete info, keep quiet
Security Officer Joe Sullivan and another exec ousted
Paid Hackers to Keep Massive Cyberattack Quiet
Paid Hackers to Keep Massive Cyberattack Quiet
stole the personal data of 57 million customers and drivers fromUber
Technologies Inc., a massive breach that the company concealed
for more than a year. This week, the ride-hailing firm ousted its
chief security officer and one of his deputies for their roles in
keeping the hack under wraps, which included a $100,000 payment to
data from the October 2016 attack included names, email addresses
and phone numbers of 50 million Uber riders around the world, the
company told Bloomberg on Tuesday. The personal information of about
7 million drivers was accessed as well, including some 600,000 U.S.
driver’s license numbers. No Social Security numbers, credit card
information, trip location details or other data were taken, Uber
the time of the incident, Uber was negotiating with U.S. regulators
investigating separate claims of privacy violations. Uber now says
it had a legal obligation to report the hack to regulators and to
drivers whose license numbers were taken. Instead, the company paid
hackers to delete the data and keep the breach quiet. Uber said it
believes the information was never used but declined to disclose the
identities of the attackers.
of this should have happened, and I will not make excuses for it,”
Dara Khosrowshahi, who took over as chief executive officer in
September, said in an emailed statement. “We are changing the way we
Uber’s disclosure Tuesday, New York Attorney General Eric
Schneiderman launched an investigation into the hack, his
spokeswoman Amy Spitalnick said. The company was alsosued
for negligenceover the breach by a customer
seeking class-action status.
have successfully infiltrated numerous companies in recent years.
The Uber breach, while large, is dwarfed by those at Yahoo, MySpace,
Inc.What’s more alarming are the extreme
measures Uber took to hide the attack. The breach is the latest
scandal Khosrowshahi inherits from his predecessor,Travis
Uber’s co-founder and former CEO, learned of the hack in November
2016, a month after it took place, the company said. Uber had just
settled a lawsuit with the New York attorney general over data
security disclosures and was in the process of negotiating with theFederal
Trade Commissionover the handling of
consumer data. Kalanick declined to comment on the hack.
Sullivan, the outgoing security chief, spearheaded the response to
the hack last year, a spokesman told Bloomberg. Sullivan, a onetime
federal prosecutor who joined Uber in 2015 fromFacebook
Inc., has been at the center of much of the decision-making
back to bite Uberthis year. Bloomberg
reported last month that the board commissioned an investigation
into the activities of Sullivan’s security team. This project,
conducted by an outside law firm, discovered the hack and the
failure to disclose, Uber said.
how the hack went down: Two attackers accessed a private GitHub
coding site used by Uber software engineers and then used login
credentials they obtained there to access data stored on an Amazon
Web Services account that handled computing tasks for the
company. From there, the hackers discovered an archive of rider and
driver information. Later, they emailed Uber asking for money,
according to the company.
patchwork of state and federal laws require companies to alert
people and government agencies when sensitive data breaches occur.
Uber said it was obligated to report the hack of driver’s license
information and failed to do so.
the time of the incident, we took immediate steps to secure the data
and shut down further unauthorized access by the
individuals,” Khosrowshahi said. “We also implemented security
measures to restrict access to and strengthen controls on our
cloud-based storage accounts.”
has earned a reputation for flouting regulations in areas where it
has operated since its founding in 2009. The U.S. has opened at
least five criminal probes into possible bribes, illicit software,
questionable pricing schemes and theft of a competitor’s
intellectual property, people familiar with the matters have said.
The San Francisco-based company also faces dozens of civil suits.
regulators including the National Crime Agency arealso
looking into the scaleof the breach.
London and other governments have previously taken steps toward
banning the service, citing what they say is reckless behavior by
January 2016, the New York attorney general fined Uber $20,000 for
failing to promptly disclose an earlier data breach in
2014. After last year’s cyberattack, the company was
negotiating with the FTC on a privacy settlement even as it haggled
with the hackers on containing the breach, Uber said. The company
finally agreed to the FTC settlement three months ago, without
admitting wrongdoing and before telling the agency about last year’s
new CEO said his goal is to change Uber’s ways. Uber said it
informed New York’s attorney general and the FTC about the October
2016 hack for the first time on Tuesday. Khosrowshahi asked for the
resignation of Sullivan and fired Craig Clark, a senior lawyer who
reported to Sullivan. The men didn’t immediately respond to requests
said in his emailed statement: “While I can’t erase the past, I can
commit on behalf of every Uber employee that we will learn from our
company said its investigation found that Salle Yoo, the outgoing
chief legal officer who has been scrutinized for her responses to
other matters, hadn’t been told about the incident. Her replacement,
Tony West, willstart
at Uberon Wednesday and has been briefed on
CEO in June under pressure from investors, who said he put the
company at legal risk. He remains on the board and recently filled
two seats he controlled.
said it has hired Matt Olsen, a former general counsel at the
National Security Agency and director of the National
Counterterrorism Center, as an adviser. He will help the company
restructure its security teams. Uber hired Mandiant, a cybersecurity
firm owned byFireEye
Inc., to investigate the hack.
company plans to release astatementto
customers saying it has seen “no evidence of fraud or misuse tied to
the incident.” Uber said it will provide drivers whose licenses were
compromised with free credit protection monitoring and identity