Uber Gets Hacked and Attempts Cover-Up

Uber has been an interesting spectacle to watch over the past couple of years. The company has come under serious heat dealing with all sorts of different scandals from sexual harassment to discrimination, an exodus of executives (including a CEO/founder resignation), city-wide and country-wide bans, and countless boycotts, yet it’s continued to grow at record levels. It’s partnered with big time players like SPG, American Express, and even now has a co-branded credit card that’s arguably one of the best top cash back credit cards on the market.

The media firestorm has died down a little bit for Uber recently but Uber is once again back in the hot seat after it was just announced that there was a global breach of the personal information of 57 million customers and drivers in October 2016. Yes, that’s October of 2016 not 2017.

As if the data breach wasn’t bad enough, Uber actually tried to conceal the breach from the affected individuals and regulators by paying $100,000 to the hackers.

What did the hackers steal?

The hackers stole personal data including names, email addresses and phone numbers of millions of customers and also got away with the names and driver’s license numbers of about 600,000 drivers in the US. Uber said more highly sensitive information, such as location data, credit card numbers, bank account numbers, social security numbers, and birth dates, had not been compromised (so I guess we’re supposed to just take their word on that?).

How did the Uber hack happen?

According to Bloomberg, the breach occurred when two hackers obtained login credentials to access data stored on Uber’s Amazon Web Services account. Paul Lipman, CEO of cybersecurity firm BullGuard, said that holding that the fact that the data was being stored unencrypted was “unforgivable”.

I’ve been trying to like Uber ever since I first used it back in 2014. It’s a brilliant idea and has made travel cheaper and easier for millions of people across the globe, including myself. But at this point, Uber has given the world plenty of reasons to hate them and want them out of their towns. I understand they are still in the process of righting their ship and they’ve made some improvements like adding the ability for drivers to receive tips.

However, in a day where data breaches are becoming increasingly common, there is absolutely no excuse for trying to cover up a massive data breach that affected over 50,000,000 people.

Legally speaking, it’s also an incredibly stupid thing to attempt as well. Chris Hoofnagle of the Berkeley Center for Law and Technology said not disclosing the breach was “amateur hour” and “[t]he only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach.”

Under California state law, companies are required to notify state residents of any breach of unencrypted personal information, and must inform the attorney general if more than 500 residents are affected by a single breach. This breach affected more than 100,000X the minimum amount of people that requires disclosure so it’s pretty obvious that Uber is in some deep you know what.

Here’s what the CEO of Uber, Dara Khosrowshahi, says they are doing in response to this realization:

  • I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
  • We are individually notifying the drivers whose driver’s license numbers were downloaded.
  • We are providing these drivers with free credit monitoring and identity theft protection.
  • We are notifying regulatory authorities.
  • While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.

The CEO concluded his remarks:

None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.