Uber concealed cyber attack that exposed data of 57 million users and drivers

Uber failed to disclose a massive breach last year that exposed the data of some 57 million users of the ride-sharing service, the company's new chief executive officer says.
Uber said the attack, which occurred in late 2016, gave up names, email addresses and phone numbers of its users and drivers.
Uber said the attack, which occurred in late 2016, gave up names, email addresses and phone numbers of its users and drivers.PHOTO: AFP

SAN FRANCISCO (Reuters, Washington Post) - Uber Technologies Inc paid hackers US$100,000 (S$135,000) to keep secret a massive breach last year that exposed the personal information of about 57 million accounts of the ride-service provider, the company said. 

Discovery of the US company’s cover-up resulted in the firing of two employees responsible for its response to the hack, said Dara Khosrowshahi, who replaced co-founder Travis Kalanick as CEO in August.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in a blog post. The breach occurred in October 2016 but Khosrowshahi said he had only recently learned of it.

The hack is another controversy for Uber on top of sexual harassment allegations, a lawsuit alleging trade secrets theft and multiple federal criminal probes that culminated in Kalanick’s ouster in June.

The stolen information included names, e-mail addresses and mobile phone numbers of Uber users around the world, and the names and licence numbers of 600,000 US drivers, Khosrowshahi said.

Uber passengers need not worry as there was no evidence of fraud, while drivers whose licence numbers had been stolen would be offered free identity theft protection and credit monitoring, Uber said.

Two hackers gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on software code. There, the two people stole Uber’s credentials for a separate cloud-services provider where they were able to download driver and rider data, the company said.

A GitHub spokeswoman said the hack was not the result of a failure of GitHub’s security.

  • Other major data breaches

  • Yahoo accounts - 3 billion

    Onliner Spambot accounts - 711m

  • Exploit.In accounts - 593m

  • Anti Public Combo List accounts - 457m

    River City Media Spam List accounts - 393m

    MySpace accounts - 359m

    NetEase accounts - 234m

    LinkedIn accounts - 164m

    Adobe accounts - 152m

  • EBay - 145m

  • Badoo accounts - 112m

    B2B USA Businesses accounts - 105m

    Source: haveibeenpwned.com, media reports

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.

“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.” Bloomberg News first reported the data breach on Tuesday.

Khosrowshahi said Uber had begun notifying regulators. The New York Attorney-General has opened an investigation, a spokesman said.
Regulators in Australia and the Philippines said yesterday they would look into the matter.

Uber is seeking to mend fences in Asia after having run-ins with authorities, and is negotiating with a consortium led by Japan’s SoftBank Group for fresh investment.

Uber has also run into trouble in Britain. The secret pay-off to hackers raises “huge concerns” about its data policies and ethics, Britain’s data protection regulator said on Wednesday. 

“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner’s Office, said in a statement.  

The maximum penalty is 500,000 pounds (S$897,200) under current British law for organisations that fail to notify affected users and regulators when data breaches occur.  

Uber said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week because of their role in the handling of the incident. Mr Sullivan, formerly the top security official at Facebook Inc and a federal prosecutor, served as both security chief and deputy general counsel for Uber.

Sullivan declined to comment when reached by Reuters. Clark could not immediately be reached for comment.

Kalanick learned of the breach in November 2016, a month after it took place, a source familiar with the matter told Reuters. At the time, the company was negotiating with the US Federal Trade Commission over the handling of consumer data.

A board committee had investigated the breach and concluded that neither Kalanick nor Salle Yoo, Uber’s general counsel at the time, were involved in the cover-up, another person familiar with the issue said. The person did not say when the investigation took place.

Kalanick, through a spokesman, declined to comment. The former CEO remains on the Uber board of directors.

Although payments to hackers are rarely publicly discussed, US Federal Bureau of Investigation officials and private security companies have told Reuters that an increasing number of companies are paying criminal hackers to recover stolen data.

“The economics of being a bad guy on the internet today are incredibly favorable,” said Oren Falkowitz, co-founder of California-based cyber security company Area 1 Security.

 
 

Khosrowshahi said on Tuesday he had hired Matt Olsen, former general counsel of the US National Security Agency, to restructure the company’s security teams and processes. The company also hired Mandiant, a cybersecurity firm owned by FireEye Inc, to investigate the breach.

Uber has earned a reputation for flouting regulations in areas where it has operated since its founding in 2009. The US has opened at least five criminal probes into possible bribes, illicit software, questionable pricing schemes and theft of a competitor's intellectual property, people familiar with the matters have said. The San Francisco-based company also faces dozens of civil suits. London and other governments have taken steps toward banning the service, citing what they say is reckless behaviour by Uber.

In January 2016, the New York Attorney-General fined Uber US$20,000 for failing to promptly disclose an earlier data breach in 2014. After last year's cyber attack, the company was negotiating with the FTC on a privacy settlement even as it haggled with the hackers on containing the breach, Uber said. The company finally agreed to the FTC settlement three months ago, without admitting wrongdoing and before telling the agency about last year's attack.