Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Uber Paid Off Hackers To Hide Massive Data Breach
M.I.T Technology Review ^ | November 22, 2017 | Martin Giles

Posted on 11/21/2017 8:21:37 PM PST by nickcarraway

The latest scandal to engulf the transportation giant could be its worst yet.

Uber has taken plenty of wrong turns over the past few years. But the latest is certainly one of the most damaging. Bloomberg has revealed that the company concealed for more than a year a massive data breach that exposed sensitive records of millions of drivers and customers. The breach, which occurred in October 2016, was reportedly hidden by Uber’s Chief Security Officer, Joe Sullivan, and others. Sullivan and one of his deputies have been ousted by the company. Travis Kalanick, the firm’s cofounder and former CEO, was made aware of the breach not long after it happened.

In a press release published shortly after Bloomberg’s story appeared, Uber’s current CEO, Dara Khosrowshahi, said hackers had been able to download files containing a significant amount of information, including the names and driver’s license numbers of around 600,000 drivers in the United States, as well as personal information such as names, email addresses and mobile phone numbers of 57 million Uber users around the world. The company says outside forensic experts it called in to analyze the breach haven’t seen any indication that credit card numbers, bank account details and social security numbers have been downloaded. But it didn’t say that such details hadn’t been breached.

As with previous mega-hacks, more details will emerge in coming days and weeks. But there are already pressing questions that demand swift answers. Who exactly within Uber’s staff knew about the hack after it occurred and how many people were actively involved in the cover up, which involved paying the hackers $100,000 to delete data and keep the breach quiet? Was anyone on Uber’s board told about the intrusion at the time? If not, why not? And why did Uber fail to inform regulators swiftly about the hack?

Get Hacked and Your Cybersecurity Company May Pay A small but growing number of cybersecurity companies are introducing warranty programs that can serve as insurance against the cost of a potential data breach. Bloomberg’s report says that when the breach occurred, Uber was already talking with US regulators about separate privacy violations and had just settled a case with the Federal Trade Commission over mishandling of consumer data. It also reported last month that the company’s board had launched an investigation into the activities of Sullivan’s security team. It was the outside law firm leading that effort that uncovered the hack and the cover up.

The breach also raises questions about the state of Uber’s security practices. According to Bloomberg, the intruders were able to able to find login credentials from Uber engineers left on Github, a widely used code repository, that gave them access to an Amazon cloud computing server holding the data. That’s a startling breach of security fundamentals. It’s also astonishing that such large amounts of sensitive personal data were being held on a third-party service without apparently being encrypted.

Uber’s now scrambling to limit the damage to its reputation. The company has hired a former general counsel for the NSA to help it rethink its security practices and has also retained Mandiant, a cybersecurity firm that has dealt with the fallout from many high-profile breaches. Khosrowshahi learned about the breach in late 2016. “None of this should have happened,” he said in the release,” and I will not make excuses for it”. That’s just as well because the behavior and practices that led to this fiasco are inexcusable.


TOPICS: Business/Economy; Crime/Corruption; Extended News; News/Current Events
KEYWORDS: databreach; uber; uberhacked
Thanks, Travis.
1 posted on 11/21/2017 8:21:37 PM PST by nickcarraway
[ Post Reply | Private Reply | View Replies]

To: nickcarraway
Who exactly within Uber’s staff knew about the hack after it occurred and how many people were actively involved in the cover up, which involved paying the hackers $100,000 to delete data and keep the breach quiet? Was anyone on Uber’s board told about the intrusion at the time? If not, why not? And why did Uber fail to inform regulators swiftly about the hack

The person who authorized the payment needs to be cuffed, thrown in jail and charged with whatever the applicable crimes are under threat of maximum financial penalties and maximum jail time.

Apply pressure, wait for them to sing, and arrest the executive they indict and repeat the process.

As long as Equifax, Target, BoA, Chase, Uber etc.. don't have executives arrested and thrown in jail, this problem never gets better.

The entire point of a CISO (Chief Information Security Officer) and CTO (Chief Technology Officer) in ANY decent organization these days is to protect customer data. Fail that, go to jail. Period.

My life got seriously disrupted by the Equifax breach. I spent 45 days, countless hours and HUNDREDS of dollars getting my accounts back, my credit reports secured and monitoring put in place along with closing compromised accounts and having to open new ones.

I want someone's ass to go to jail for not protecting MY information that they had no right collecting and aggregating in the first damn' place.

2 posted on 11/21/2017 8:33:23 PM PST by usconservative (When The Ballot Box No Longer Counts, The Ammunition Box Does. (What's In Your Ammo Box?))
[ Post Reply | Private Reply | To 1 | View Replies]

To: nickcarraway
Well, that explains how they got my DL number to go along with the data from Transunion...

Screw it, not worth ever doing another Uber drive again.

3 posted on 11/21/2017 8:34:18 PM PST by kingu (Everything starts with slashing the size and scope of the federal government.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: kingu

I predict Uber will be out of business within 10 years. Maybe sooner. If stupidity like this doesn’t sink them first, the self-driving car will.


4 posted on 11/21/2017 9:15:41 PM PST by generally ( Don't be stupid. We have politicians for that.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: usconservative
The entire point of a CISO (Chief Information Security Officer) and CTO (Chief Technology Officer) in ANY decent organization these days is to protect customer data. Fail that, go to jail. Period.

Might as well put them all in jail now. There is literally no way to protect against hackers. Sure they could have patched Struts but Struts is a giant piece of crap that undoubtedly has other holes. The fact is that if a company collects data, that data is not safe.

5 posted on 11/21/2017 9:28:57 PM PST by palmer (...if we do not have strong families and strong values, then we will be weak and we will not survive)
[ Post Reply | Private Reply | To 2 | View Replies]

To: generally
I predict Uber will be out of business within 10 years.

A better idea to Uber would've been private mass transit.

6 posted on 11/21/2017 10:05:57 PM PST by Extremely Extreme Extremist (10% pure, flat income tax for everyone. No deductions, credits, or loopholes.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: nickcarraway

Block chain will fix this. You will own your own data again.


7 posted on 11/22/2017 2:43:28 AM PST by mindburglar (I have an above average brain stem)
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson