Uber Got Hacked a Year Ago and Paid the Hackers to Keep It Secret Uber reportedly paid the hackers $100,000 to delete the stolen data and keep quiet about it.

By Michael Kan

This story originally appeared on PCMag

via PC Mag

Uber is only now going public about an October 2016 data breach that affected the data of Uber drivers as well as 57 million users, exposing their names, email addresses and mobile phone numbers.

Uber's new CEO Dara Khosrowshahi said Tuesday that he only recently learned about the incident, which Uber discovered in November 2016.

"You may be asking why we are just talking about this now, a year later," wrote Khosrowshahi, who was hired in August. "I had the same question, so I immediately asked for a thorough investigation."

Uber found that "two individuals outside the company" accessed user data -- including the names and driver's license numbers of 600,000 drivers in the U.S. -- via a third-party cloud service.

"We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed," Uber's CEO wrote.

According to Bloomberg, Uber paid the hackers $100,000 to delete the data and stay quiet.

No trip location history, credit card numbers or other sensitive data like Social Security numbers were downloaded by the hackers, Khosrowshahi said. Uber is now notifying drivers affected by the breach and monitoring affected user accounts with additional fraud protection. So far, Uber has found no evidence of fraud or misuse related to the breach.

However, it's unclear why Uber didn't alert regulatory authorities. Most states, including California, have laws that demand companies disclose data breaches when they affect local residents' personal information.

"None of this should have happened, and I will not make excuses for it," according to Khosrowshahi, who fired the two people who led the company's response to the breach. That includes Uber's chief security officer Joe Sullivan, Bloomberg says.

"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Khosrowshahi said.

Uber did not immediately respond to a request for comment.

Why paying hackers can be problematic

The company's decision to reportedly pay off the hackers is raising a lot of questions.

Did the hackers really delete the stolen data? Why is Uber so confident that the hackers kept their word?

"You are basically relying on the integrity of a criminal group," said security expert Vincent Weafer, vice president of McAfee Labs.

Uber's statement on Tuesday oddly indicates the company actually knows the hackers' identities. But that same statement doesn't mention anything about Uber contacting the FBI to arrest the hackers.

"It's a very unusual case," said Weafer, who pointed out that hackers can't be trusted.

For instance, many businesses are experiencing ransomware attacks from cybercrminals. These attacks will hold computer systems hostage, and demand the victims pay a ransom to free them.

However, hackers have no obligation to release the computers when paid, and can often leave the computers infected, Weafer said.

"When people have paid the money, you still never know for sure if the breach has been contained or any information has been leaked," he added. "In this case, we still don't know enough."

News of the breach is stirring up plenty of debate among security experts over Uber's handling of the situation.

Why Uber decided to keep the data breach secret is another key question. Under its previous CEO, Travis Kalanick, the company gained a nasty reputation for breaking the rules, and avoiding the authorities.

The company's new CEO, Khosrowshahi, is working to repair that reputation and making Uber more transparent. In response to the breach, he's hired a former general counsel for the U.S. National Security Agency to help Uber improve its security teams.

Michael Kan

Reporter

Michael has been a PCMag reporter since October 2017. He previously covered tech news in China from 2010 to 2015, before moving to San Francisco to write about cybersecurity.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Business News

A New Hampshire City Was Named the Hottest Housing Market in the U.S. This Year. Here's the Top 10 for 2024.

Zillow released its annual lists featuring the top housing markets, small towns, coastal cities, and geographic regions. Here's a look at the top real estate markets and towns in 2024.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business News

'We're Not Allowed to Own Bitcoin': Crypto Price Drops After U.S. Federal Reserve Head Makes Surprising Statement

Fed Chair Jerome Powell's comments on Bitcoin and rate cuts have rattled cryptocurrency investors.

Business Ideas

Is Your Business Healthy? Why Every Entrepreneur Needs To Do These 3 Checkups Every Year

You can't plan for the new year until you complete these checkups.

Leadership

The End of Bureaucracy — How Leadership Must Evolve in the Age of Artificial Intelligence

What if bureaucracy, the very system designed to maintain order, is now the greatest obstacle to progress?