- REUTERS/Kim Kyung-Hoon
- Bloomberg reported on Tuesday that Uber had paid hackers $100,000 to conceal an October 2016 data breach that exposed the personal information of 57 million users.
- The decision to cover up the hack was led by Uber’s former chief executive, Travis Kalanick, and chief security officer Joe Sullivan, who has since been fired.
- The company demanded that the hackers sign nondisclosure agreements and then went on to disguise the payout fee as a “bug bounty,” The New York Times reported.
- There are serious legal ramifications for Uber’s decision not to immediately disclose the breach and Illinois, Massachusetts, New York, and Connecticut are currently investigating the matter, Recode reports.
Bloomberg on Tuesday reported that Uber paid hackers $100,000 to conceal a cyberattack that exposed the personal data of 57 million users of the app in October 2016. The hack exposed the names, emails, and phone numbers of 50 million riders and the US driver’s-license numbers of an additional 7 million drivers.
The hackers contacted Uber and demanded a $100,000 extortion fee to erase the data from their servers, a demand that the company agreed to, according to the report. The decision to acquiesce to the hackers’ fee was reportedly led by former chief executive Travis Kalanick and chief security officer Joe Sullivan.
But new information has come to light giving a further glimpse into Uber’s strategy in dealing with the breach. According to a new report in The New York Times:
“Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a ‘bug bounty’ – a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.”
Uber’s chief security officer, Joe Sullivan, and an attorney who worked directly with Sullivan, Craig Clark, have since been fired.
Illinois, Massachusetts, New York, and Connecticut just launched an investigation into the breach, Recode reports, and the Italian Data Protection Authority is alos investigating the matter.
So how does the Uber hack stack up against other recent data breaches? In comparison to the most recent Equifax security breach, which exposed the Social Security numbers and credit-card numbers of 143 million customers, Uber’s 2016 security breach affected far fewer people.
- BI Graphics
While the legal implications of Uber’s cover-up are still being examined, The New York Times said Uber might have violated the Federal Trade Commission’s stipulation that companies disclose data breaches and reveal any evidence of a cybersecurity compromise. Uber might have also violated California’s breach-disclosure laws.
William McGeveran, a law professor at the University of Minnesota, suggested in a tweet that Uber could be in violation of legal statutes by breaking data-breach-disclosure laws and lying to the FTC while under investigation.
3 issues on Uber, in ascending order of gravity: (1) paying hackers w/o biz continuity justification; (2) ignoring breach notice laws; (3) presumably lying to FTC while under investigation. 2 and 3 break law; 3 probably criminal. https://t.co/iTzNpYM4b6
— William McGeveran (@BillMcGev) November 22, 2017
“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who joined Uber as CEO in September, wrote in a blog post. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
For more details on how Uber handled the cover-up, read The Times’ story here.