Uber is not known for it’s high level of ethics, but it turns out Uber paid hackers to not go public with the fact they’d breached 57 Million accounts – which is a very shady thing to do. Getting hacked is one thing (usually someone f*cked up), but choosing as a company to systematically cover up a breach to the tune of $100,000 – that’s just wrong.
57 Million is a fairly significant number as well with Uber having around 40 Million monthly users, of course, it’s not the scale of Equifax with 143 Million (or more).
It includes both riders and 600,000 driver information, Uber says nothing fraudulent appears to have happened since the breach and compromised accounts are flagged in the system for extra monitoring.
By Now, the name Uber has become practically synonymous with scandal. But this time the company has outdone itself, building a Jenga-style tower of scandals on top of scandals that has only now come crashing down. Not only did the ridesharing service lose control of 57 million people’s private information, it also hid that massive breach for more than a year, a cover-up that potentially defied data breach disclosure laws. Uber may have even actively deceived Federal Trade Commission investigators who were already looking into the company for distinct, earlier data breach.
On Tuesday, Uber revealed in a statement from newly installed CEO Dara Khosrowshahi that hackers stole a trove of personal data from the company’s network in October 2016, including the names and driver’s license information of 600,000 drivers, and worse, the names, email addresses, and phone numbers of 57 million Uber users.
As bad as that data debacle sounds, Uber’s response may end up doing the most damage to the company’s relationship with users, and perhaps even exposed it to criminal charges against executives, according to those who have followed the company’s ongoing FTC woes. According to Bloomberg, which originally broke the news of the breach, Uber paid a $100,000 ransom to its hackers to keep the breach quiet and delete the data they’d stolen. It then failed to disclose the attack to the public—potentially violating breach disclosure laws in many of the states where its users reside—and also kept the data theft secret from the FTC.
It’s definitely possible there could be some serious consequences for Uber in a legal context as they’ve certainly breached some federal laws concerning disclosure to the FTC and in general not disclosing a breach that has leaked customer records.
They previously fired their Chief Security Officer, which obviously hasn’t helped much (more of a PR/Blame exercise most likely).
According to Bloomberg, Uber’s 2016 breach occurred when hackers discovered that the company’s developers had published code that included their usernames and passwords on a private account of the software repository Github. Those credentials gave the hackers immediate access to the developers’ privileged accounts on Uber’s network, and with it, access to sensitive Uber servers hosted on Amazon’s servers, including the rider and driver data they stole.
While it’s not clear how the hackers accessed the private Github account, the initial mistake of sharing credentials in Github code is hardly unique, says Jeremiah Grossman, a web security researcher and chief security strategist at security firm SentinelOne. Programmers frequently add credentials to code to allow it automated access to privileged data or services, and then fail to restrict how and where they share that credential-laden software.
“This is all too common on Github. It’s not a forgiving environment,” says Grossman. He’s far more shocked by the reports of Uber’s subsequent coverup. “Everyone makes mistakes. It’s how you respond to those mistakes that get you in trouble.”
It’d be interesting to get a bit more details on what happened, were the credentials accidentally pushed to a Github repo that was public? Or did the hacker(s) actually get access to a private Github repo that contained critical credentials?
Sadly both are pretty common, even with Github having an option to enforce 2FA across an entire organsiation – many people are not using it.