Uber Paid Hackers $100,000 To Cover Up 2016 Data Theft

[Guest]

Uber announced that personal information regarding 57 million of its riders and drivers was stolen in 2016. The company initially covered up the data theft by paying the hackers $100,000 in exchange for deleting their copy of the information.

Uber Paid Hackers $100,000 To Cover Up 2016 Data Theft : Read more

 

[termathor]

"The company was careful to note that none of this information was stolen from its own infrastructure. Instead, it was taken from a "third-party cloud-based service." According to Bloomberg, the service in question is Amazon Web Services, and the attackers didn't so much compromise the service as they stole credentials Uber engineers stored unprotected on GitHub. With those credentials in hand, the data was easy to grab."

Wow, that is top-notch PR: blaming AWS because, indeed, it was stolen from their infra ... and forgetting to tell people "By the way, we're used to leave our AWS credentials in the wild, unencrypted" ...

Great !

 

[USAFRet]

57 million.

"The company was careful to note..."
"...that they will say anything that tries to deflect liability from their abysmal practices."

And then paid $100k so the hackers would delete their copy? LOLOL

 

[LeeRains]

I deleted Uber from my phone 2 scandals prior to this one. Via and Lyft work great in Manhattan when subways and buses aren’t convenient.

Even in the midst a cultural tsunami of scandals, Uber manages to continually stick out. Why do people continue to use Uber over its as-good or better competitors? Do these people also request the riskiest route home for no reason as well?

 

[cryoburner]

To be fair, the leaked information seems pretty minor. Names, email addresses, and phone numbers are not exactly ultra-private information, and can often be easily found online. While cell phone numbers might not be public knowledge by default, most landline numbers were always freely accessible to the public. They didn't mention anything about addresses either, so most of the leaked information would be of limited usefulness.

 

[USAFRet]

To be fair, the leaked information seems pretty minor. Names, email addresses, and phone numbers are not exactly ultra-private information, and can often be easily found online. While cell phone numbers might not be public knowledge by default, most landline numbers were always freely accessible to the public. They didn't mention anything about addresses either, so most of the leaked information would be of limited usefulness.

The problems are:

The actual leak
Their crappy security practices
Covering it up for a year
And then paying the $100k

When we give information to these companies, we are trusting them not to screw it up.
If Uber had said, up front when you sign up for the service, "We will distribute any and all of the information you give us, to whoever asks or steals it."....would you use their service?
No. Somewhere in their ToS, they almost certainly said something to the effect of "Your data is safe with us".
Apparently not.

Many fools would, but I know I would not. And neither would you.

 

[JamesSneed]

Makes you wonder what else we don't know about.

 

[cryoburner]

If Uber had said, up front when you sign up for the service, "We will distribute any and all of the information you give us, to whoever asks or steals it."....would you use their service?
No. Somewhere in their ToS, they almost certainly said something to the effect of "Your data is safe with us".

I don't use their service anyway, so they can put whatever they want in there. : P

My point was more that the compromised data was arguably not nearly as vital as that leaked by other companies mentioned in the article. A list of names, phone numbers and email addresses is something easy to come by, and while such information could potentially be used to make a phishing attack more effective, for example, it's not a huge breach of privacy in itself. Someone bothered by that should be more concerned about the vast stores of user data gathered and "safely" stored by companies like Google.

And technically, it doesn't even sound like the data has been leaked beyond those who initially acquired it. It could also probably be argued that the $100,000 was paid for uncovering the security issues that made the data leak possible. $100,000 isn't really a huge sum of money for a multi-billion dollar company, after all. Of course, they should have disclosed the leak to regulators, even if they considered the payment as money paid to "security researchers" who they were reasonably sure were not going to make further use of the data.

 

[tommyjarvis2756]

"The company was careful to note that none of this information was stolen from its own infrastructure. Instead, it was taken from a "third-party cloud-based service." According to Bloomberg, the service in question is Amazon Web Services, and the attackers didn't so much compromise the service as they stole credentials Uber engineers stored unprotected on GitHub. With those credentials in hand, the data was easy to grab."

Wow, that is top-notch PR: blaming AWS because, indeed, it was stolen from their infra ... and forgetting to tell people "By the way, we're used to leave our AWS credentials in the wild, unencrypted" ...

Great !

They clearly needed to get rid of this PR person as well. A good majority of the public might miss it, but the security experts behind the microscope are slapping their foreheads in unison. When you decide to host your data through a cloud provider, that environment you configure IS your infrastructure; YOU are responsible for securing it. Their credentials were obtained from a (perfect example) poorly-configured environment; AND, storing credentials online is about the dumbest thing you could possibly do.

 

[tommyjarvis2756]

To be fair, the leaked information seems pretty minor. Names, email addresses, and phone numbers are not exactly ultra-private information, and can often be easily found online. While cell phone numbers might not be public knowledge by default, most landline numbers were always freely accessible to the public. They didn't mention anything about addresses either, so most of the leaked information would be of limited usefulness.

The problems are:

The actual leak
Their crappy security practices
Covering it up for a year
And then paying the $100k

When we give information to these companies, we are trusting them not to screw it up.
If Uber had said, up front when you sign up for the service, "We will distribute any and all of the information you give us, to whoever asks or steals it."....would you use their service?
No. Somewhere in their ToS, they almost certainly said something to the effect of "Your data is safe with us".
Apparently not.

Many fools would, but I know I would not. And neither would you.

100% spot on. This brings to mind the Equifax hack, and just leaves me bewildered that they were then HIRED BY THE GOVERNMENT to protect the IRS from fraud. My autistic cat is more qualified to protect IRS data than Equifax.