Ride-hailing company Uber Technologies Inc. has between 40-50 million active monthly riders, and is especially popular in major U.S. cities. When news of the company suffering a data breach that exposed personal data of over 57 million customers and drivers first surfaced, the story’s most unnerving part was Uber’s efforts at concealing the incident…which occurred more than one year ago.
Two hackers allegedly accessed a private GitHub coding site that Uber software engineers used. The cybercriminals then used login credentials attained from the site to access data stored on an Amazon Web Services account, which handled Uber’s computing tasks. Next, the hackers uncovered an archive containing an extensive directory of information on millions of customers and drivers. The hackers gained access to information that included names, email addresses, and phone numbers of over 50 million Uber customers worldwide.
Roughly seven million drivers had their personal data exposed, including license numbers of over 600,000 U.S.-based drivers. Despite the large quantity of information exposed, Uber claims personal data like social security numbers, credit card information, and trip location details wasn’t compromised. Upon emailing Uber with demands for money, the company reportedly issued a sum of $100,000 to the attackers.
In the wake of this story surfacing, Uber severed ties with Joe Sullivan, the company’s former chief security officer, along with one of his deputies for their efforts of concealing the data breach. A mix of state and federal laws make companies like Uber legally obligated to report these kinds of data breaches to regulators and drivers whose license numbers were exposed. Instead, Uber agreed to pay the hackers if they deleted any data they obtained. Uber claims none of the personal information accessed was ever used, and the company declined to reveal any information on the cybercriminals who facilitated the breach.
Travis Kalanick, one of Uber’s co-founders and CEO at the time, became aware of the data breach back in November 2016 (one month after it actually occurred). Sullivan (the company’s CFO at the time), who spearheaded a response to the incident, was with Uber since 2015 (previously with Facebook), and has been the focus of most decision-making that’s given Uber many of its recent publicity and ethical issues. Sullivan and his security team’s handling of (and failure to report) the data breach, are currently under investigation by Uber’s board of directors.
While this recent breach is the latest of numerous scandals to plague the transportation service, the cyberattack pales in comparison to the ones that happened to companies like Yahoo, MySpace, Target, Anthem, and (most recently), Equifax. What does stand out are the measures Uber took to conceal the breach, in spite of their legal obligations to report such incidents, and is making many people wonder what other incidents Uber might have swept under the carpet (and whether other companies might have pulled similar stunts).
Filed Under: M2M (machine to machine)