Uber Hid Security Breach Impacting 57 Million People, Paid Off Hackers
from the not-good,-uber,-not-good dept
It's no secret that Uber's management over the years has been pretty sketchy, if not downright nefarious. At some point I may write a longer post about this, but it appears that the company culture took the idea of reasonably pushing back on bad laws (such as those that restricted competition in the taxi space) and took it to mean that it could just ignore all sorts of rules. And it appears that a company culture was created that celebrated rulebreaking in all sorts of ways -- most of which were bad. The company has a new CEO, Dara Khosrowshahi, who comes in with a strong reputation and has indicated his intent to change the culture. On Tuesday, the company admitted that it had covered up that data on 57 million users had been leaked. While the data didn't include credit card info or trip data, it did include drivers' license info for 7 million drivers, and the email addresses and phone numbers of 50 million riders.
It's bad enough that the data leaked, but covering it up is serious -- and means that the company is going to be hit with lawsuits. California (among others) has a strong data breach law, and it seems quite likely that Uber broke that law in failing to alert people that their info had been accessed. Perhaps more incredibly, the cover-up happened at the very same time that the company was negotiating with FTC officials over a previous data breach. Also, it appears that Uber paid off the hackers who were trying to extort the company to keep the data secret:
Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
Apparently, Uber paid the hackers $100,000 to keep the data from getting out.
In response to this, Khosrowshahi has put up a blog post taking responsibility for this and more or less admitting that the company had royally fucked up. He also fired two employees who were apparently responsible for covering this up (the report technically says one was "asked to resign" while the other was fired). The whole thing sounds like a complete shitshow from a company that, well, has a history of Broadway-level shitshows.
While the blog post is clearly an attempt to show that the company is trying to turn over a new leaf, the whole situation is still troubling. The blog post doesn't mention paying off the hackers -- it just says that the company "obtained assurances that the downloaded data had been destroyed." It certainly feels like the overall statement could be stronger. Here's part of it:
At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.
You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions:
- I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
- We are individually notifying the drivers whose driver’s license numbers were downloaded.
- We are providing these drivers with free credit monitoring and identity theft protection.
- We are notifying regulatory authorities.
- While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.
None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.
It will be interesting to see if the company can really change its culture. I still think that the concept behind Uber is powerful and can do some fairly useful things in the world, but the way in which the company has gone about running its business has been a disgrace.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breach reporting, bug bounty, dara khosrowshahi, hacks, security breach, trashfire
Companies: uber
Reader Comments
Subscribe: RSS
View by: Time | Thread
I’m shocked! Shocked!
…well, not that shocked.
[ link to this | view in chronology ]
Same "concept" as Lyft, yet you never mention it!
Oh, and by the way: this is criminal in my view, and may be in a prosecutor's too, especially with Uber investigated / dodging at that time.
[ link to this | view in chronology ]
Re: Same "concept" as Lyft, yet you never mention it!
So yeah, Star Trek! :)
[ link to this | view in chronology ]
Re: Same "concept" as Lyft, yet you never mention it!
[ link to this | view in chronology ]
Re: Re: Same "concept" as Lyft, yet you never mention it!
To be honest, I was thinking the same thing until I hit
This is the final sentence in the article. My immediate thought was "Um, Lyft?"
I think he either needs to add an "as illustrated by Lyft" in there, or just leave it as "the way in which the company has gone about running its business has been a disgrace, no matter what industry they're in."
So yeah, the AC has a point, even though his spin is a bit off.
[ link to this | view in chronology ]
Re: Re: Re: Same "concept" as Lyft, yet you never mention it!
However, as they were founded well after Uber and have been doing lot less newsworthy things overall in the last couple of years, he hasn't written as much about them as Uber. Nor has anyone else, really.
Uber are the pioneers of the space and the most newsworthy regarding their actions overall, so they get written about more than competitors. That's not a problem, and more than it's a problem that Harvey Weinstein has been written about more than Jason Blum in the press despite the fact they are both successful movie producers.
"So yeah, the AC has a point"
He really doesn't. It's just his usual schtick - if he can't counter anything that's written in the article, he attacks things that are irrelevant to it.
[ link to this | view in chronology ]
Re: Re: Re: Same "concept" as Lyft, yet you never mention it!
[ link to this | view in chronology ]
Re: Re: Same "concept" as Lyft, yet you never mention it!
What a sad excuse for a human being.
[ link to this | view in chronology ]
Re: Same "concept" as Lyft, yet you never mention it!
What does the concept of ridesharing have to do with the article in question?
[ link to this | view in chronology ]
Re: Re: Same "concept" as Lyft, yet you never mention it!
[ link to this | view in chronology ]
Re: Same "concept" as Lyft, yet you never mention it!
[ link to this | view in chronology ]
No excuses... No regrets either...
Uber is the poster child for why rules and regulations aren't such a bad idea.
My favorite line though, is: "We will learn from our mistakes..."
Is there some magic number of mistakes they are waiting to accumulate before the learning starts?
52?
180?
42,673?
[ link to this | view in chronology ]
Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
[ link to this | view in chronology ]
Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
[ link to this | view in chronology ]
Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
Citation?
[ link to this | view in chronology ]
Re: Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are- disabled/
[ link to this | view in chronology ]
Re: Re: Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
Techdirt wrote an article about that yesterday, FYI.
[ link to this | view in chronology ]
Re: Re: Re: Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
You can give them what they ask for to the letter, and they'll never be happy.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
Well, if you do that, they'll say it's copyright infringement...
[ link to this | view in chronology ]
Re: Re: Re: Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
For example: "There are some caveats to Google's permissionless collection of cell site location data, with the most significant being the fact Google didn't store the auto-collected cell tower info. That doesn't excuse the practice, but it at least keeps it from becoming tracking data the government can access without a warrant."
Here, TechDirt is doing nothing more than taking google's word as absolute "fact", something they would NEVER do if it had been anyone else (as anyone in their right mind should never do). Right off the bat, TechDirt is trying to minimize what it is and the ramifications of it based on nothing more than google's "say so", as if google would ever admit to handing the data straight to the feds as they so obviously do, as evidenced, in part, by Snowden's documents, (of which the only ones to deny the documents where true were Mike and google WHEN the documents actually mentioned/applied to google).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
Nice to see that you've chosen to back the corner of the guy who thinks that if you can't afford healthcare you should throw yourself off a cliff.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
Well, do you have evidence that what they said is not fact? If not, you're just as bad as they are, dismissing Google's words out of hand in the same way you criticise this site for believing them. Unless you have evidence that Google were indeed storing the information, then the thing you're whining about may indeed be fact.
You would be taken a lot more seriously if you ever backed your own words up with evidence, rather than just bitching that a site you pathologically hate for some reason doesn't attack a company you hate for similarly unclear reasons. But, you do nothing but whine, usually about things that are clearly untrue to begin with.
[ link to this | view in chronology ]
Re: Google gets caught red-handed SPYING on people, AGAIN. TechDirt attempts to whitewash, sanitize, and distract from this fact, AGAIN. They fool absolutely NOBODY.... AGAIN.
You people really need help.
[ link to this | view in chronology ]
This is priceless
"Assurances". They obtained "assurances". And now they're telling everyone that since they were stupid enough to believe those that we should all be too.
Let that just sink in for a moment. The CEO of a multi-billion dollar scaXXXcompany actually put that in writing and -- apparently -- the legal team didn't put down their bourbon and run as fast as they could to tackle him before he published it.
TD user "McGyver", elsewhere in this thread, says "Uber is the poster child for why rules and regulations aren't such a bad idea." and that's absolutely right. The best outcome here would be the forcible shutdown of Uber, confiscation of all business records, email, etc., investigation by an independent prosecutor (with prosecutions to follow if warranted), and dispersion of the company's assets to its victims as a means of partial compensation. Uber is a malignant cancer.
[ link to this | view in chronology ]
Oh, fuck off with that shit, already.
May as well just give out hot blankets and cocoa, it'll do more to comfort people.
[ link to this | view in chronology ]
Honestly don't have a problem with CEO response
[ link to this | view in chronology ]
Why are they storing license info?
[ link to this | view in chronology ]
Re: Why are they storing license info?
Insurance and regulations where you have to prove at any given time that someone is licensed to do so.
[ link to this | view in chronology ]
Re: Re: Why are they storing license info?
[ link to this | view in chronology ]
I am not as impressed with this so called gig economy. So far it appears to be just another way to screw the little guys and pocket the proceeds. Who was that political hack who said that to get rid of unemployment all we need to do is get rid of the minimum wage, it is the same sort of thing ... I will call it the myopic economy.
[ link to this | view in chronology ]