Hackers accessed a bunch of data on Uber drivers and customers in late 2016 but the company chose not to notify either regulators or those affected.
This is just the latest legacy bestowed on Uber CEO Dara Khosrowshahi by his predecessor and Uber founder Travis Kalanick. The company seems to be a magnet for controversy and recently had its license to operate in London revoked over public safety concerns. Khosrowshahi was brought in earlier this year to steady the ship, but skeletons keep emerging from the corporate closet.
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” wrote Khosrowshahi in an announcement. “The incident did not breach our corporate systems or infrastructure. Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.”
From the many reports on this it appears the hackers got hold of some login details for an AWS account and it was from there that they downloaded the data. They then used that data to blackmail Uber, in the manner that is becoming increasingly common in the cyber-crime world.
Data breaches have become so common in recent years that we might not have even bothered reporting on this one were it not for the way Uber handled it. Apparently it paid the hackers $100,000 to delete the data and keep quiet, and then made out like the payment was a ‘bug bounty’ that is commonly paid to by companies to hackers to test their security.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” wrote Khosrowshahi. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
The dodgy part of all this is the extent to which it was hushed-up. Uber’s Chief Security Officer – Joe Sullivan – has already been shown the door for the part he played in it and it asks further questions of Kalanick, who remains on the company’s board. The New York Attorney General has already opened an investigation into the matter and given the company’s track record it can expect to be given little benefit of the doubt.