Uber admits to paying hackers to keep security breach under wraps

22 Nov 2017

Uber Technologies Inc paid hackers $100,000 to keep secret a massive breach last year that exposed the personal information of about 57 million accounts of the ride-service provider, the company said on Tuesday.

The hackers stole the personal data of customers and drivers in a massive breach that the company concealed for more than a year.

Discovery of the cover-up of the incident resulted in the firing of two employees responsible for its response to the hack, said Dara Khosrowshahi, who replaced co-founder Travis Kalanick as chief executive in August.

This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.

''None of this should have happened, and I will not make excuses for it,'' Khosrowshahi said in a blog post.

The breach occurred in October 2016 but Khosrowshahi said he had only recently learned of it.

The hack is another controversy for Uber on top of sexual harassment allegations, a lawsuit alleging trade secrets theft and multiple federal criminal probes that culminated in Kalanick's ouster in June.

The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and licence numbers of 600,000 US drivers, Khosrowshahi said.

No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

Uber passengers need not worry as there was no evidence of fraud, while drivers whose licence numbers were stolen would be offered free identity theft protection and credit monitoring, the company further said.

At the time of the incident, Uber was negotiating with US regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose licence numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet.

Uber said it believes the information was never used but declined to disclose the identities of the attackers.

Two hackers gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on software code. There, the two people stole Uber's credentials for a separate cloud services provider where they were able to download driver and rider data, the company said.

A GitHub spokeswoman said the hack was not the result of a failure of GitHub's security.

''While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Khosrowshahi said.

''We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.''

Khosrowshahi said Uber had begun notifying regulators. The New York attorney general has opened an investigation, a spokeswoman said.

Uber said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week because of their role in the handling of the incident. Sullivan, formerly the top security official at Facebook Inc and a federal prosecutor, served as both security chief and deputy general counsel for Uber.

Kalanick learned of the breach in November 2016, a month after it took place, a source familiar with the matter told Reuters. At the time, the company was negotiating with the US Federal Trade Commission over the handling of consumer data.

A board committee had investigated the breach and concluded that neither Kalanick nor Salle Yoo, Uber's general counsel at the time, were involved in the cover-up, another person familiar with the issue said. The person did not say when the investigation took place.

Uber said on Tuesday it was obliged to report the theft of the drivers' licence information and had failed to do so.

Kalanick, through a spokesman, declined to comment. He remains on the Uber board of directors, and Khosrowshahi has said he consults with him regularly.

Joe Sullivan, the outgoing security chief, spearheaded the response to the hack last year, a spokesman told Bloomberg. Sullivan has been at the centre of much of the decision-making that has come back to bite Uber this year.

Last month the board commissioned an investigation into the activities of Sullivan's security team. This project, conducted by an outside law firm, discovered the hack and the failure to disclose, Uber said.

Hacking is big business
Although payments to hackers are rarely publicly discussed, FBI officials and private security companies have told Reuters that an increasing number of companies were paying criminal hackers to recover stolen data.

''The economics of being a bad guy on the Internet today are incredibly favourable,'' said Oren Falkowitz, co-founder of California-based cyber security company Area 1 Security.

The Uber breach, while large, is dwarfed by those at Yahoo, MySpace, Target Corp, Anthem Inc and Equifax Inc, says Bloomberg. What's more alarming are the extreme measures Uber took to hide the attack.

The breach is the latest scandal Khosrowshahi inherits from his predecessor, Travis Kalanick.

Uber has a history of failing to protect driver and passenger data. Hackers previously stole information about Uber drivers and the company acknowledged in 2014 that its employees had used a software tool called ''God View'' to track passengers.