1. Home >
  2. Cars

Uber Paid Hackers $100K to Hide Data Breach Exposing 57 Million Users [Updated]

Uber just disclosed a hack from a year ago that it paid to conceal rather than disclose, despite legal requirements it do so.
By Joel Hruska
Uber-Feature
Update (11/24/2017): A new report states that far from having just learned about the breach, Uber CEO Dara Khosrowshahi has known about it since mid-September. Uber, it seems, has no intention of ceasing the consumer-hostile, illegal activities that have typified its culture since its inception. The company has already been hit by two lawsuits since admitting the initial breach and more seem likely to follow given Khosrowshahi's failure to disclose the breach in a timely manner(Opens in a new window). Original Story Below: 

Uber has spent the past year mired in controversy on virtually every front, from its attempts to evade regulators to lying about driver earnings, to its alleged theft of trade secrets from Google's self-driving car research division, Waymo. Now, on top of these charges, there's evidence that the company suffered a cataclysmic data breach and paid hackers $100,000 to keep the news out of the media.

Bloomberg reports(Opens in a new window) that the compromised data includes names, addresses, email addresses, and telephone numbers of roughly 50 million Uber users. An additional seven million drivers were also impacted, though the data stolen appears to be the same in both cases. Uber had a legal obligation to inform the hack to regulators and the drivers whose driver license numbers were taken. Instead, it paid the hackers to delete the data and keep quiet. Neither then-CEO Travis Kalanick or now-replaced Chief Security Officer informed users of the hack.

Current Uber CEO Dara Khosrowshahi wrote(Opens in a new window) an open letter to Uber customers, noting that the flaw arose when two individuals outside the company breached a cloud service provider. According to him, Uber is consulting with outside experts to firm up its own security practices, has fired two of the people responsible for paying off the hacker team, including its former CSO, providing free credit monitoring and identity theft protection to impacted drivers, and has notified the appropriate authorities.

Uber and Volvo continue to work together on self-driving cars

This hack wasn't exactly rocket science. Bloomberg reports that the attackers accessed a private Github repository and found login credentials for Amazon Web Services stored there. Once they had access to the AWS account, they had access to the archive of data and driver information. They emailed Uber asking for money, and Uber found it easier to pay them rather than to disclose the breach. That's consistent with Uber's previous methodology -- the company faces five criminal probes into its conduct and dozens of civil lawsuits. This breach occurred while Uber was negotiating with the FTC over a privacy settlement related to a 2014 breach, but Uber never informed the agency that it had been breached again.

Uber has taken a hammering in the past year and continues to lose huge amounts of money. It isn't a sustainable business, absent venture capital funding, and it continues to bet on its own long-term success in the self-driving vehicle business as a means of raising capital. Khosrowshahi's honesty on the data breach and his quick action to replace the CSO are a small step in the right direction, but the company will have to do much more to shed the unsavory reputation it's built for itself.

Tagged In

Data Breach Security Kalanick FTC Self-Driving Cars

More from Cars

Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of use(Opens in a new window) and Privacy Policy. You may unsubscribe from the newsletter at any time.
Thanks for Signing Up