Uber Kept Hacking Incident Secrets for Months, 57 Million Users Allegedly Affected

Image Source: Market Watch

Image Source: Market Watch

Hacking incidents can make or break a company. This is the atmosphere in the tech world after the Equifax Data Breach incident this year. It would be bad for any company if they got hacked and the news broke out. Even more so if they kept the incident secret for months before they notified their customers and the authorities. It would be better if they kept the fact to themselves forever.

Too bad for Uber, the media learned about it anyway. Uber told Bloomberg last Tuesday that the company got hacked and kept quiet about it. During the time of Uber’s former CEO Travis Kalanick, who found out about the incident one month after it happened, hackers accessed Uber’s files and stole 57 million customer’s personal data including driver’s license numbers. Uber’s new CEO, Dara Khosrowshahi, found out about it and came clean this week. The company blames their outgoing chief security officer Joe Sullivan, a former federal prosecutor who worked for Facebook, Inc.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said. “We are changing the way we do business.”

Image Source: RTT News

Dana Khosrowshahi (Image Source: RTT News)

Thinking that they can make their problems go away easily, Uber reportedly paid the hackers $100,000 to delete the stolen data and keep the incident a secret. The attack happened last October 2016 and was never reported until now, violating a law that required companies to report such incidents. At that time, Uber was under investigation by US regulators for incidents of privacy violations. Uber believes that the hackers never used the data. They also have refused to reveal the identities of the hackers.

New York Attorney General Eric Schneiderman called for an investigation of the incident, and now the company is also being sued for negligence by a customer because they have failed to report the incident.

So how did Uber fall victim to a hacking incident? The attackers apparently first accessed the GitHub coding site that’s used by the software engineers at Uber. Then they used the login credentials they got from there to access the data stored in the Amazon Web Services account that’s being used by the company. It was here where the hackers discovered the archived information about the users, both riders, and drivers. After stealing the data, they contacted Uber and held the stolen information for ransom.

Khosrowshahi explains: “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals… We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

Image Source: Business Insider

Travis Kalanick (Image Source: Business Insider)

And this isn’t even the first time that Uber withheld information about a data breach: In September of 2014 Uber was hacked and as much as 50,000 of their users’ information was also compromised. At that time they also delayed reporting the incident. In 2016 they agreed to pay a fine of $20,000 for failing to report the incident. Eric Schneiderman was also the one who handled the matter then. Uber reported the incident to his office on February 26, the following year, 6 months after the discovery of the hack.

The event is surprisingly similar: The trespasser at that time has also received access to Uber’s files via GitHub. This time, one of their engineers has posted an access ID that can be accessed by the public. By May of 2014, someone not connected to their company has accessed their database.

Kalanick was removed as Uber’s CEO last June and was replaced by Khosrowshahi due to investors’ concerns. The company plans to release a statement regarding the incident, claiming that the stolen data has not been misused in any way. They also promised to provide the affected users with free identity theft and credit protection.