Uber paid criminal hackers $100,000 (£75,000) to delete personal data belonging to its customers and drivers, the company has confirmed.
The transport app company was breached in October 2016, and the criminals behind the hack offered to delete the data in exchange for money. Uber took the offer and ignored its legal requirement to disclose the breach, only admitting its error when Bloomberg uncovered the cover-up.
The stolen data includes the names, email addresses and phone numbers of 50 million Uber customers, as well as the personal information of about 7 million drivers – 600,000 of whom also had their driver’s license numbers exposed. No Social Security numbers, payment card information, trip location details or other information was taken, Uber said.
Data breaches are often accompanied by embarrassing stories about how the situation was mismanaged. Organisations sometimes take years to disclose an incident, and other times they deny being breached at all, but Uber has managed to combine both of those blunders in a spectacularly cynical cover-up.
Uber didn’t confirm the precise details of the hack, but, according to Bloomberg, two hackers found Uber’s login credentials to Amazon Web Services, a Cloud computing service, where the data was stored. The hackers then blackmailed Uber for $100,000 in exchange for deleting the data and keeping quiet.
But what did Uber think this would achieve? The organisation had no way of knowing whether the hackers would keep their word. The information hasn’t surfaced yet, but given that these are criminals who had the audacity to steal from and then blackmail a large company, there’s every chance that they either still have the information or have sold it on the dark web.
Regardless, any unauthorised access to or destruction of information is considered a breach. Paying the blackmailers only served to protect the company’s reputation at the expense of the affected individuals, whose information remains categorically breached.
At the time of the breach, Uber was under investigation for separate claims of privacy violations, which probably affected its decision-making. But these are not the only controversies it has been involved in. Since it was founded in 2009, Uber has faced four other criminal probes, which have looked into possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property.
Uber also faces dozens of civil lawsuits, with London among several cities to have taken steps to ban the organisation’s service.
Uber clearly didn’t want to add a data breach to its list of problems, but the public’s response to this story has rightly focused on the cover-up more than the breach itself. Data breaches are inevitable, so all you can ask organisations to do is identify them promptly and respond responsibly.
Speaking to Bloomberg, Dara Khosrowshahi, who took over as chief executive officer of Uber in September, commented: “None of this should have happened, and I will not make excuses for it.”
He added: “We are changing the way we do business.”
Subscribe to our Daily Sentinel for updates on this story and all the latest cyber security news.