Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Uber Pays Hackers $100,000 to Delete Compromised Data and to Keep Quiet

November 27, 2017

Uber's reputation was pretty much in the toilet before last week's raft of more bad news and worse decisions.

As Bloomberg reported on November 21^st, Uber's data breach took place in October of 2016 and involved the personal data of 57 million customers and drivers. The company not only concealed the breach for more than a year, it paid the hackers $100,000 to delete the data (seriously, it trusted hackers?) and to keep quiet about the breach.

The compromised data included names, e-mail addresses and phone numbers of Uber riders. The personal information of about 7 million drivers was accessed as well.

How did the breach occur? According to Bloomberg, "Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company."

Chief Security Officer Joe Sullivan and a lawyer who reported to him are now gone (no surprise). An outside law firm was commissioned by Uber's Board to investigate and discovered both the hack and the failure to disclose the breach as required by state data breach notification laws.

Various state Attorney Generals are investigating and law suits have already been filed by consumers. Throw those on top of the dozens of unrelated lawsuits pending against Uber plus several criminal investigations and the stench of misconduct is ripe. Uber has been in so much legal trouble for so long – the pile of dirty laundry just continues to mount.

Dara Khosrowshahi, Uber's new CEO, seems to be trying to chart a new path. He wrote a description of the beach published on Uber's website. Information for those who may be impacted by the breach may be found here. It was encouraging that Mandiant, a division of FireEye, did the investigation. According to Uber, it has seen "no evidence of fraud or misuse tied to the incident." But then, that is the canned response of many breached companies.

I hope the new CEO means it when he says, "We are changing the way we do business."

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Uber Pays Hackers $100,000 to Delete Compromised Data and to Keep Quiet

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer