Uber concealed data breach for a year, paid hackers to delete stolen personal data

Uber has had a rough going in the public eye for some time now, and that looks to only get worse as the ride-sharing service recently divulged a data breach that happened over a year ago and that it paid the hackers $100,000 to delete the stolen personal data.

There is plenty to dissect here, so let’s start with the hack itself, which happened as a result of two people accessing an archive of rider and driver information in October 2016. This information was found on an Amazon Web Services account that handled computing tasks for Uber, with login information obtained through a private GitHub coding site.

The two attackers then emailed Uber, saying that they had personal information of 50 million Uber riders and 7 million Uber drivers. Obtained information included names, email addresses, and phone numbers, along with the US driver’s license numbers of 600,000 drivers. Thankfully, no Social Security numbers, credit card information, trip location details, or other information were obtained.

This is where things take a turn for the worse. When data breaches like this happen, companies are mandated to inform people and government agencies. Not only that, but Uber is legally obligated to disclose to regulators breaches of its riders’ driver’s license information. Instead, Uber decided to keep the breach hush-hush and paid the hackers $100,000 to delete the stolen personal data.

Uber CEO Dara Khosrowshahi, who was not with the company at the time of the hack, believes that the data was never used, but the company nevertheless secured the data implemented tighter security measures:

At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.

In addition to the aforementioned steps, Uber also brought on former National Security Agency general counsel Matt Olsen to help the company restructure its security teams and cybersecurity firm Mandiant to investigate the breach. Uber also plans to release a statement to its customers regarding the breach and will provide drivers free credit protection monitoring and identity theft protection.

Finally, Uber also asked for Joe Sullivan’s resignation, since Sullivan was the security chief who led the company’s response to the breach. Uber also fired Craig Clark, a senior lawyer who reported to Sullivan.

That may be all well and good, but might take a bit until Uber can put this in the past. Just a few hours ago, a lawsuit was filed in federal court in Los Angeles against Uber for its failure to “implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.” New York Attorney General Eric Schneiderman also confirmed he will launch an investigation into the breach.

Making matters worse, Uber faced the question of what to do about this breach while negotiating with the Federal Trade Commission over how to handle customer data and just after settling a lawsuit with New York Attorney General Eric Schneiderman.

Also keep in mind that this is all happening without so much as a word from Travis Kalanick, who was Uber’s CEO when the breach happened and who learned of it in November 2016. That begs the question of why Kalanick remains quiet about this, exactly how much he knew about the breach, and why he is still on Uber’s board.

Regardless of the answers, Uber still has a long way to go to change the negative narrative around it, and this only intensifies that struggle.