Uber Paid Hackers $100,000 To Cover Up 2016 Data Theft

News
By Nathaniel Mott
published

Uber announced that personal information regarding 57 million of its riders and drivers was stolen in 2016. The company initially covered up the data theft by paying the hackers $100,000 in exchange for deleting their copy of the information and signing non-disclosure agreements. But after a board of directors investigation into its business practices—and a subsequent report on the hack from Bloomberg—Uber finally disclosed the theft.

The affected information includes the names, email addresses, and phone numbers of 50 million Uber riders and 7 million drivers. Another 600,000 of the company's drivers ("driver-partners," natch) had their driver's license numbers compromised. Uber said it will notify the drivers whose license numbers were stolen and give them free credit monitoring and identity theft protection; it didn't say if it plans to contact riders.

The company was careful to note that none of this information was stolen from its own infrastructure. Instead, it was taken from a "third-party cloud-based service." According to Bloomberg, the service in question is Amazon Web Services, and the attackers didn't so much compromise the service as they stole credentials Uber engineers stored unprotected on GitHub. With those credentials in hand, the data was easy to grab.

Worse than the negligence was Uber's (almost successful) attempt to cover up the theft. In addition to paying the hackers $100,000 to delete the information and sign non-disclosure agreements, Uber also disguised the payment as part of its bug bounty program and failed to disclose it to regulators investigating its security practices. Incoming CEO Dara Khosrowshahi also wasn't informed of the incident when he was hired in June.

Khosrowshahi said in his blog post:

You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions [...] None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.

The actions include: bringing on Matt Olsen, former general counsel of the National Security Agency and director of the National Counterterrorism Center, to advise him on how to lead his security team; firing chief security officer Joe Sullivan and legal director of security and law enforcement Craig Clark, per The New York Times; notifying affected drivers and giving them fraud protection; and flagging other affected accounts.

Uber's breach clearly pales in comparison to those at Equifax, Yahoo, and other companies that collected more detailed information about far more people. But its response to this breach highlights the company's leadership style of begging forgiveness instead of attempting to do the right thing—i.e., not paying off hackers and then hiding the payment from the world—from the get-go. Perhaps Khosrowshahi will change that.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

9 Comments Comment from the forums
  • termathor
    "The company was careful to note that none of this information was stolen from its own infrastructure. Instead, it was taken from a "third-party cloud-based service." According to Bloomberg, the service in question is Amazon Web Services, and the attackers didn't so much compromise the service as they stole credentials Uber engineers stored unprotected on GitHub. With those credentials in hand, the data was easy to grab."

    Wow, that is top-notch PR: blaming AWS because, indeed, it was stolen from their infra ... and forgetting to tell people "By the way, we're used to leave our AWS credentials in the wild, unencrypted" ...

    Great !
    Reply
  • USAFRet
    57 million.

    "The company was careful to note..."
    "...that they will say anything that tries to deflect liability from their abysmal practices."

    And then paid $100k so the hackers would delete their copy? LOLOL
    Reply
  • LeeRains
    I deleted Uber from my phone 2 scandals prior to this one. Via and Lyft work great in Manhattan when subways and buses aren’t convenient.

    Even in the midst a cultural tsunami of scandals, Uber manages to continually stick out. Why do people continue to use Uber over its as-good or better competitors? Do these people also request the riskiest route home for no reason as well?
    Reply
  • cryoburner
    To be fair, the leaked information seems pretty minor. Names, email addresses, and phone numbers are not exactly ultra-private information, and can often be easily found online. While cell phone numbers might not be public knowledge by default, most landline numbers were always freely accessible to the public. They didn't mention anything about addresses either, so most of the leaked information would be of limited usefulness.
    Reply
  • USAFRet
    20415290 said:
    To be fair, the leaked information seems pretty minor. Names, email addresses, and phone numbers are not exactly ultra-private information, and can often be easily found online. While cell phone numbers might not be public knowledge by default, most landline numbers were always freely accessible to the public. They didn't mention anything about addresses either, so most of the leaked information would be of limited usefulness.

    The problems are:

    The actual leak
    Their crappy security practices
    Covering it up for a year
    And then paying the $100k

    When we give information to these companies, we are trusting them not to screw it up.
    If Uber had said, up front when you sign up for the service, "We will distribute any and all of the information you give us, to whoever asks or steals it."....would you use their service?
    No. Somewhere in their ToS, they almost certainly said something to the effect of "Your data is safe with us".
    Apparently not.

    Many fools would, but I know I would not. And neither would you.
    Reply
  • JamesSneed
    Makes you wonder what else we don't know about.
    Reply
  • cryoburner
    20415340 said:
    If Uber had said, up front when you sign up for the service, "We will distribute any and all of the information you give us, to whoever asks or steals it."....would you use their service?
    No. Somewhere in their ToS, they almost certainly said something to the effect of "Your data is safe with us".
    I don't use their service anyway, so they can put whatever they want in there. : P

    My point was more that the compromised data was arguably not nearly as vital as that leaked by other companies mentioned in the article. A list of names, phone numbers and email addresses is something easy to come by, and while such information could potentially be used to make a phishing attack more effective, for example, it's not a huge breach of privacy in itself. Someone bothered by that should be more concerned about the vast stores of user data gathered and "safely" stored by companies like Google.

    And technically, it doesn't even sound like the data has been leaked beyond those who initially acquired it. It could also probably be argued that the $100,000 was paid for uncovering the security issues that made the data leak possible. $100,000 isn't really a huge sum of money for a multi-billion dollar company, after all. Of course, they should have disclosed the leak to regulators, even if they considered the payment as money paid to "security researchers" who they were reasonably sure were not going to make further use of the data.
    Reply
  • tommyjarvis2756
    20407853 said:
    "The company was careful to note that none of this information was stolen from its own infrastructure. Instead, it was taken from a "third-party cloud-based service." According to Bloomberg, the service in question is Amazon Web Services, and the attackers didn't so much compromise the service as they stole credentials Uber engineers stored unprotected on GitHub. With those credentials in hand, the data was easy to grab."

    Wow, that is top-notch PR: blaming AWS because, indeed, it was stolen from their infra ... and forgetting to tell people "By the way, we're used to leave our AWS credentials in the wild, unencrypted" ...

    Great !
    They clearly needed to get rid of this PR person as well. A good majority of the public might miss it, but the security experts behind the microscope are slapping their foreheads in unison. When you decide to host your data through a cloud provider, that environment you configure IS your infrastructure; YOU are responsible for securing it. Their credentials were obtained from a (perfect example) poorly-configured environment; AND, storing credentials online is about the dumbest thing you could possibly do.
    Reply
  • tommyjarvis2756
    20415340 said:
    20415290 said:
    To be fair, the leaked information seems pretty minor. Names, email addresses, and phone numbers are not exactly ultra-private information, and can often be easily found online. While cell phone numbers might not be public knowledge by default, most landline numbers were always freely accessible to the public. They didn't mention anything about addresses either, so most of the leaked information would be of limited usefulness.

    The problems are:

    The actual leak
    Their crappy security practices
    Covering it up for a year
    And then paying the $100k

    When we give information to these companies, we are trusting them not to screw it up.
    If Uber had said, up front when you sign up for the service, "We will distribute any and all of the information you give us, to whoever asks or steals it."....would you use their service?
    No. Somewhere in their ToS, they almost certainly said something to the effect of "Your data is safe with us".
    Apparently not.

    Many fools would, but I know I would not. And neither would you.
    100% spot on. This brings to mind the Equifax hack, and just leaves me bewildered that they were then HIRED BY THE GOVERNMENT to protect the IRS from fraud. My autistic cat is more qualified to protect IRS data than Equifax.
    Reply