Uber Paid Ransom to Erase Stolen Data on 57 Million Users

Cybercriminals got a hold of the information of at least 57 million users between customers and drivers from Uber Technologies Inc. almost a year ago. The company managed to keep the information on a low profile until this week when they fired the employee responsible for the leak as well as one of the members of his staff. The team was let go because of the way they handled the problem, which apparently included the payment of $100,000 to the perpetrators to lose the data.

  •         The company allegedly paid cybercriminals a sum of $100,000 to erase the stolen information
  •         Security officer Joe Sullivan and at least one member of his team were fired over the scandal

Among the information collected by the Hacker team that attacked the company’s servers on October of 2016 were a list of full names, email accounts and phone numbers of 50 million clients as well as the driving license numbers of 600,000 drivers among the 7 million drivers the company registered. In a stroke of luck, no info was lost regarding credit card numbers, social security numbers or client’s trip history.

When the attack to the company was happening, Uber was in a process of counseling with a U.S legal team that was checking complains of privacy violations on behalf of the company. Their defense is claiming accountability for the hack now. But at the moment of the leak, they kept the attack quiet, preferring a negotiation with the hackers to dump the data while keeping the leak away from media. Uber has declared that they don’t think the information was ever used, and they also deny knowing the assailants.

The new head of security, Dara Khosrowshani has declared that there is no acceptable excuse for this derailed train of events, but the company is doing its best to change the way of handling their information. After the news of the attack broke last Tuesday, New York Attorney General Eric Schneiderman put an investigative team to get everything on the attack. Uber Technologies Inc. is also being sued for negligence on the handling of customer information by a private citizen seeking reparation.

This is not the first time something like this has happened. In the past, companies like Yahoo, MySpace, Target, Sony, and Gawker were attacked and their data was stolen. Most of them have come clean with it by advising their customers to change their passwords while they increased their security protocols internally. The most disturbing aspect of this case was the measures implemented by Uber to keep the leak quiet. This new scandal is one of the latest problems inherited by Khosrowshahi from his predecessor, Uber founder, and CEO Travis Kalanick.

Kalanick was told about the breach of their data in November of 2016. The previous month the company just settled a lawsuit in New York over data security exposure. They were also in the process of setting up conversations with the Federal Trade Commission to improve their management of consumer data.

While the picture looks grim for Uber, the company actually has somebody to point a finger at for all their current problems. Joe Sullivan, the recently fired security officer used to be a federal prosecutor who joined the company after a brief stint on Facebook. He’s the one who has taken all the decisions that have put Uber between the literal rock and a hard place this year.  Bloomberg has reported that the company set up an independent investigation by an outside law firm that audited all the activities of Sullivan’s security team. They were the ones to discover the leak and the way it was handled.

This is how the information was stolen from Uber: a couple of hackers gained access to private GitHub coding usually used by Uber to handle their day-to-day operations, from where they had access to login credentials to the Amazon’s web services that handle the computer process for the company. One inside they got all the information they needed on rider and driver archives. After that, they mailed the company their demands to avoid a massive leak.

Federal regulations have been in place for a long time, demanding companies to alert their customers and the pertinent government agencies when sensitive data is breached. Among the data stolen, the one that has more weight is the driver licenses information and Uber failed to report the attack on this data.

Khosrowshahi declared that when the attack happened, the company took some serious steps to avoid further leaks and to prevent unwanted access to their data and their cloud-based storage accounts. But Uber has a track record of constantly disregarding regulations pertinent to their operations since they began to offer their services in 2009. In the U.S they have faced multiple federal and civil suits regarding bribes, software appropriation, questionable business practices and theft of intellectual property.  In the U.K the story is not so different since regulation agencies are studying the case to work it as a precedent in what it could very well mean the ban of the service in the old continent because of the company’s improper practices.

Last year, Uber was fined with $20,000 by New York’s attorney general because they didn’t report a previous data breach in 2014. After the breach of 2016, the company was in conversations with the FTC over the handling of private information while they dealt with the attack in the background without reporting it.

Khosrowshahi is working hard to change the perception that Uber is not willing to work with federal agencies. They reported the 2016 attack last Tuesday to the FTC and immediately fired the official in charge of the cover-up along his immediate subordinate. The new CEO offered a written statement to the press claiming to be unable to change the past but willingly committed to shaping a better future where the company shows more responsibility.

Uber continued to explain the finding of their internal audit by explaining that their outgoing Chief Legal Officer, Salle Yoo, didn’t know about the attack and the compromising of information. But the company repeated questioning about her responses on other matters made it impossible for the working relationship to continue. She’s being replaced by Tony West who already has a hand on all the available information about the attack and how to deal with it.

Uber has been under some serious shakeups by restructuring their board and refreshing their working team. The changes began this year when founder Travis Kalanick was ousted as CEO as per the demand of their investors. They cited that Kalanick practices put the company under the watch of authorities and he’s been deemed a legal liability (He will remain on the board filling two seats). The company has brought Matt Councel who has worked previously with the National Security Agency and the National Counterterrorism Center to work as an adviser to build a new security team. Uber has also hired an independent contractor named FireEye Inc. to further investigate the hack.

The company has let their customers know that there is no evidence of misuse of the stolen data, but they plan to provide the drivers whose license was compromised with credit protection monitoring as well as ID theft protection.