eDiscovery Daily Blog

Uber’s Response to Data Breach? Pay the Hackers to Keep Quiet About It: Cybersecurity Trends

Hackers stole the personal data of 57 million customers and drivers from Uber last year.  Their response?  Conceal the breach for more than a year, and pay the hackers $100,000 to delete the data (sure they did) and keep quiet about the breach.

As reported on Bloomberg (Uber Paid Hackers to Delete Stolen Data on 57 Million People, written by Eric Newcomer) last week, compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

According to Bloomberg, the breach occurred when two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

Travis Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. According to Bloomberg, Kalanick declined to comment on the hack.

Joe Sullivan, the outgoing security chief, spearheaded the response to the hack last year, a spokesman told Bloomberg.  Dara Khosrowshahi, the new CEO as of September, asked for the resignation of Sullivan and fired Craig Clark, a senior lawyer who reported to Sullivan.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in an emailed statement. “We are changing the way we do business.”

After Uber’s disclosure, New York Attorney General Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy Spitalnick said. And it should come as no surprise that the company has already been sued for negligence over the breach by a customer seeking class-action status.

So, what do you think?  How severely should Uber be punished for failing to disclose the breach?  Please share any comments you might have or if you’d like to know more about a particular topic.

Hat tip (as always) to Sharon Nelson of Ride the Lightning for her coverage of the story.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

print