Uber Hid Security Breach Impacting 57 Million People, Paid Off Hackers
from the not-good,-uber,-not-good dept
It’s no secret that Uber’s management over the years has been pretty sketchy, if not downright nefarious. At some point I may write a longer post about this, but it appears that the company culture took the idea of reasonably pushing back on bad laws (such as those that restricted competition in the taxi space) and took it to mean that it could just ignore all sorts of rules. And it appears that a company culture was created that celebrated rulebreaking in all sorts of ways — most of which were bad. The company has a new CEO, Dara Khosrowshahi, who comes in with a strong reputation and has indicated his intent to change the culture. On Tuesday, the company admitted that it had covered up that data on 57 million users had been leaked. While the data didn’t include credit card info or trip data, it did include drivers’ license info for 7 million drivers, and the email addresses and phone numbers of 50 million riders.
It’s bad enough that the data leaked, but covering it up is serious — and means that the company is going to be hit with lawsuits. California (among others) has a strong data breach law, and it seems quite likely that Uber broke that law in failing to alert people that their info had been accessed. Perhaps more incredibly, the cover-up happened at the very same time that the company was negotiating with FTC officials over a previous data breach. Also, it appears that Uber paid off the hackers who were trying to extort the company to keep the data secret:
Here?s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
Apparently, Uber paid the hackers $100,000 to keep the data from getting out.
In response to this, Khosrowshahi has put up a blog post taking responsibility for this and more or less admitting that the company had royally fucked up. He also fired two employees who were apparently responsible for covering this up (the report technically says one was “asked to resign” while the other was fired). The whole thing sounds like a complete shitshow from a company that, well, has a history of Broadway-level shitshows.
While the blog post is clearly an attempt to show that the company is trying to turn over a new leaf, the whole situation is still troubling. The blog post doesn’t mention paying off the hackers — it just says that the company “obtained assurances that the downloaded data had been destroyed.” It certainly feels like the overall statement could be stronger. Here’s part of it:
At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.
You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions:
- I?ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
- We are individually notifying the drivers whose driver?s license numbers were downloaded.
- We are providing these drivers with free credit monitoring and identity theft protection.
- We are notifying regulatory authorities.
- While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.
None of this should have happened, and I will not make excuses for it. While I can?t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.
It will be interesting to see if the company can really change its culture. I still think that the concept behind Uber is powerful and can do some fairly useful things in the world, but the way in which the company has gone about running its business has been a disgrace.
Filed Under: breach reporting, bug bounty, dara khosrowshahi, hacks, security breach, trashfire
Companies: uber
Comments on “Uber Hid Security Breach Impacting 57 Million People, Paid Off Hackers”
I’m shocked! Shocked!
…well, not that shocked.
Same "concept" as Lyft, yet you never mention it!
Masnick believes that scheduling “on teh internets” rather than by telephone is just right out of Star Trek.
Oh, and by the way: this is criminal in my view, and may be in a prosecutor’s too, especially with Uber investigated / dodging at that time.
Re: Same "concept" as Lyft, yet you never mention it!
Actually, “on teh internets” is pretty much right out of Star Trek. The Enterprise could query data from Starfleet HQ via subspace communication from thousands, if not millions, of light years away. And they could also make subspace visual and audio communications from similar distances.
So yeah, Star Trek! 🙂
Re: Same "concept" as Lyft, yet you never mention it!
It’s almost like it’s not the concept that’s the question here…
Re: Re: Same "concept" as Lyft, yet you never mention it!
To be honest, I was thinking the same thing until I hit
This is the final sentence in the article. My immediate thought was "Um, Lyft?"
I think he either needs to add an "as illustrated by Lyft" in there, or just leave it as "the way in which the company has gone about running its business has been a disgrace, no matter what industry they’re in."
So yeah, the AC has a point, even though his spin is a bit off.
Re: Re: Re: Same "concept" as Lyft, yet you never mention it!
But, Mike certainly does talk about Lyft. Just search for the name. There are plenty of articles addressing them.
However, as they were founded well after Uber and have been doing lot less newsworthy things overall in the last couple of years, he hasn’t written as much about them as Uber. Nor has anyone else, really.
Uber are the pioneers of the space and the most newsworthy regarding their actions overall, so they get written about more than competitors. That’s not a problem, and more than it’s a problem that Harvey Weinstein has been written about more than Jason Blum in the press despite the fact they are both successful movie producers.
“So yeah, the AC has a point”
He really doesn’t. It’s just his usual schtick – if he can’t counter anything that’s written in the article, he attacks things that are irrelevant to it.
Re: Re: Re: Same "concept" as Lyft, yet you never mention it!
But…that still has nothing to do with Lyft. It’s a sentence about Uber’s failings.
Re: Re: Same "concept" as Lyft, yet you never mention it!
Almost as if there’s an obsessive idiot who always has to attack Mike about something, even if he agrees with what’s actually written in the article. You” notice that he doesn’t actually address the words in the article, only whines about what’s not been said (largely because it’s irrelevant to the article), coupled with an idiotic, patently untrue personal attack.
What a sad excuse for a human being.
Re: Same "concept" as Lyft, yet you never mention it!
What does the concept of ridesharing have to do with the article in question?
Re: Re: Same "concept" as Lyft, yet you never mention it!
The last sentence of the article.
Re: Same "concept" as Lyft, yet you never mention it!
Do you just pick words out of a hat?
No excuses... No regrets either...
And I’m sure the hackers did nothing with that data after they were paid…
Uber is the poster child for why rules and regulations aren’t such a bad idea.
My favorite line though, is: “We will learn from our mistakes…”
Is there some magic number of mistakes they are waiting to accumulate before the learning starts?
52?
180?
42,673?
Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
Google and the NSA, effectively speaking, ONE AND THE SAME.
Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
Well start your own blog to tell the world and quit gritting off of this one.
Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
searches all major news outlets (and several minor ones), finds absolutely nothing about Google caught spying on people
Citation?
Re: Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
Perhaps they are referring to this?
https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/
Re: Re: Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
Techdirt wrote an article about that yesterday, FYI.
Re: Re: Re:2 Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
Proving once again that copyright-types simply cannot be satisfied.
You can give them what they ask for to the letter, and they’ll never be happy.
Re: Re: Re:3 Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
Well, if you do that, they’ll say it’s copyright infringement…
Re: Re: Re:2 Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
And what part about “TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY…. AGAIN.” do you not understand? It’s in the article they attempt to do this, as they do in EVERY article where google is caught red-handed doing something nefarious.
For example: “There are some caveats to Google’s permissionless collection of cell site location data, with the most significant being the fact Google didn’t store the auto-collected cell tower info. That doesn’t excuse the practice, but it at least keeps it from becoming tracking data the government can access without a warrant.”
Here, TechDirt is doing nothing more than taking google’s word as absolute “fact”, something they would NEVER do if it had been anyone else (as anyone in their right mind should never do). Right off the bat, TechDirt is trying to minimize what it is and the ramifications of it based on nothing more than google’s “say so”, as if google would ever admit to handing the data straight to the feds as they so obviously do, as evidenced, in part, by Snowden’s documents, (of which the only ones to deny the documents where true were Mike and google WHEN the documents actually mentioned/applied to google).
Re: Re: Re:3 Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
This would carry more weight if the statement didn’t come from a tard who regularly admits he’s just here to mock the site simply for the fact that it exists.
Nice to see that you’ve chosen to back the corner of the guy who thinks that if you can’t afford healthcare you should throw yourself off a cliff.
Re: Re: Re:3 Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
“Here, TechDirt is doing nothing more than taking google’s word as absolute “fact””
Well, do you have evidence that what they said is not fact? If not, you’re just as bad as they are, dismissing Google’s words out of hand in the same way you criticise this site for believing them. Unless you have evidence that Google were indeed storing the information, then the thing you’re whining about may indeed be fact.
You would be taken a lot more seriously if you ever backed your own words up with evidence, rather than just bitching that a site you pathologically hate for some reason doesn’t attack a company you hate for similarly unclear reasons. But, you do nothing but whine, usually about things that are clearly untrue to begin with.
Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
It’s amazing, really. Techdirt literally write an article about what you want them to address, and you still lose your shit because they wrote about another company in a separate article.
You people really need help.
This is priceless
“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
“Assurances”. They obtained “assurances”. And now they’re telling everyone that since they were stupid enough to believe those that we should all be too.
Let that just sink in for a moment. The CEO of a multi-billion dollar scaXXXcompany actually put that in writing and — apparently — the legal team didn’t put down their bourbon and run as fast as they could to tackle him before he published it.
TD user “McGyver”, elsewhere in this thread, says “Uber is the poster child for why rules and regulations aren’t such a bad idea.” and that’s absolutely right. The best outcome here would be the forcible shutdown of Uber, confiscation of all business records, email, etc., investigation by an independent prosecutor (with prosecutions to follow if warranted), and dispersion of the company’s assets to its victims as a means of partial compensation. Uber is a malignant cancer.
“free credit monitoring and identity theft protection”
Oh, fuck off with that shit, already.
May as well just give out hot blankets and cocoa, it’ll do more to comfort people.
Honestly don't have a problem with CEO response
According to his wikipedia article, Khosrowshahi didn’t become CEO of Uber until August of this year, so it appears that none of this happened under his watch (or if the last parts of this shitshow did, he didn’t have any part in it). He found out about it, ordered an investigation, and then went public with the info. That seems like a pretty stand-up thing to do. Honestly, I’d like to dislike this guy, as I worked at Expedia during his tenure and left the company with a very nasty taste in my mouth (he had nothing to do with it personally), but I just can’t find any fault with his response here. If you’re going to change a company’s culture, it has to start at the top, and this looks like a promising start.
Why are they storing license info?
I understand they need to check that their drivers are licensed, but is there any reason they can’t delete that data once an employee has verified it and noted that in their record?
Re: Why are they storing license info?
Same reasoning that any industry that requires licensing of vehicles.
Insurance and regulations where you have to prove at any given time that someone is licensed to do so.
Re: Re: Why are they storing license info?
It could be easily proven, on request, by asking the driver to provide their license to the relevant insurer/agency. Is there really a case where the agency needs a data-dump of millions of drivers?
” I still think that the concept behind Uber is powerful and can do some fairly useful things in the world,”
I am not as impressed with this so called gig economy. So far it appears to be just another way to screw the little guys and pocket the proceeds. Who was that political hack who said that to get rid of unemployment all we need to do is get rid of the minimum wage, it is the same sort of thing … I will call it the myopic economy.