Uber paid off hackers in attempt to hide theft

Thursday, 23 Nov, 2017

Instead of reporting the incident, Uber agreed to pay the two hackers $100,000 to delete the data and keep the breach quiet.

Uber joined the likes of Google, Sony, Yahoo and Target among companies that have suffered massive data breaches from hackers in recent years. And to Khosrowshahi's credit, he responded to knowledge of the security breach with the fury of someone who wants to make it clear that this kind of thing is unacceptable, and will not be tolerated. The hack didn't penetrate Uber's corporate systems or infrastructure, he said.

The revelations emerged as new Uber boss Dara Khosrowshahi, who replaced founder and former CSO Travis Kalanick after his departure in August, came clean about the company's actions after a 2016 data breach in which two external individuals had accessed data stored on a third-party cloud service that the company uses. "What I learned, particularly around our failure to notify affected individuals or regulators a year ago, has prompted me to take several actions", Khosrowshahi stated in a blog post. It was also in blue moon due to the sexual harassment case. It has been subject to federal scrutiny for its use of Greyball, a software created to mislead local regulators in order to prevent them from enforcing taxi regulations.

Should we all just assume our data is lost?

To further hide the damage, Uber executives also made it appear as if the payout had been part of a "bug bounty" - a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.

"Not only will 2018 see this mandated by GDPR [EU's General Data Protection Regulation], but it is vital to ensure that even in the wake of a breach customers do not lose total faith in a brand's ability to protect their data", he said. The SEC launched a probe into Yahoo, which is now part of Verizon Communications, and whether it disclosed its 2014 breach in a timely manner.

"Cloud services, such as AWS, are secured with SSH [secure shell] keys that are often outside the control of security teams", said Kevin Bocek, vice-president of security strategy and risk intelligence at Venafi.

Vera Jourova, the European Union commissioner in charge of data, said Uber's failure to come clean about the breach showed why the new data protection law was needed.

Because Uber is privately held, it is unlikely to be the target of an SEC investigation, David Chase, a former SEC enforcement attorney, told WSJ. In a coincidentally timed announcement shortly before Uber's hacking disclosure Tuesday, Whitman said she was stepping down as head of Hewlett Packard Enterprise Co.