Uber paid hackers to maintain knowledge breach secret, says sources
Uber, the ride-hailing smartphone app, suffered a knowledge breach final yr during which over 57 million prospects and 600,000 drivers had their private data stolen by a 20-year-old hacker from Florida.
Now, in a press release launched on the 2016 assault, Uber stated that it paid two hackers $100,000 in ransom to destroy the info of the corporate’s 2016 hack and preserve the breach quiet, Reuters reported. It additionally didn’t notify those that had been affected by the breach.
Based on the assertion, the hack was carried out by two folks on a third-party cloud service. The rideshare firm didn’t disclose any extra data besides that the hacker is a 20-year-old man from Florida.
The stolen data included names and driver’s license numbers in addition to rider names, electronic mail addresses and cell phone numbers. Nonetheless, no data relating to location historical past, bank card numbers, checking account numbers, Social Safety numbers or dates of beginning have been stolen, Uber stated. Affected drivers will get free credit score monitoring and identification theft safety.
“None of this could have occurred, and I can’t make excuses for it,” Uber’s present CEO Dara Khosrowshahi stated within the assertion. It was revealed that even he was not conscious of the 2016 incident till “not too long ago”.
On November 21, 2017, Uber had introduced concerning the knowledge breach that befell final yr. Newly appointed Uber CEO Khosrowshahi fired two of Uber’s prime safety officers when he introduced the breach final month, following an investigation that first alerted Uber’s board concerning the hack.
Based on Khosrowshahi, the incident ought to have been disclosed to regulators when it was found final yr, Reuters reported.
“On the time of the incident, we took instant steps to safe the info and shut down additional unauthorized entry by the people. We subsequently recognized the people and obtained assurances that the downloaded knowledge had been destroyed. We additionally applied safety measures,” Uber stated in a press release.
Sources informed Reuters that former CEO Travis Kalanick knew concerning the 2016 hack and “bug bounty” cost in November of final yr. Nonetheless, who made the ultimate resolution to authorize the cost to the hacker and to maintain the breach secret continues to be unclear.
“You might be asking why we’re simply speaking about this now, a yr later. I had the identical query, so I instantly requested for an intensive investigation of what occurred and the way we dealt with it,” Khosrowshahi stated of the breach.
Kalanick was conscious of the breach and “bug bounty” cost in November of final yr. Uber’s “bug bounty” service is hosted by HackerOne, an organization that provides its platform to a number of tech corporations, the report stated. Bug bounty providers are sometimes utilized by safety researchers to report software program weaknesses.
Nonetheless, it seems that the hacker stole the data first and was then retroactively entered into the bug bounty. In different phrases, the Uber executives who knew concerning the breach used the bug bounty in order that they may pay it and fake it was all a part of IT safety protocol.
The corporate didn’t need to disclose that they’d been hacked and would have in all probability not acknowledged it too, had it not been for the investigation carried out by the board final month.
Reuters was unable to determine the identification of the hacker or one other one who sources stated helped him. Uber spokesman Matt Kallman declined to touch upon the matter. Equally, Kalanick, who stepped down as Uber CEO in June, refused to touch upon the matter, in accordance with his spokesman.
Katie Moussouris, a former HackerOne govt, informed Reuters that Uber’s payout and silence on the time was extraordinary below such a program.
“If it had been a legit bug bounty, it might have been splendid for everybody concerned to shout it from the rooftops,” Moussouris stated.
5 states and a number of nations are investigating the matter, to search out out if the firm needed to notify customers or authorities companies after breaches in accordance with the legislation.