Unbelievable: Uber concealed data breach that exposed 57 Million records in 2016

Unbelievable: Uber concealed data breach that exposed 57 Million records in 2016 and paid hackers to delete stolen records.

Uber CEO Dara Khosrowshahi announced on Tuesday that hackers broke into the company database and accessed the personal data of 57 million of its users, the bad news is that the company covered up the hack for more than a year.

The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.

The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the Uber development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.

“Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.” states Bloomberg.

In a statement on Tuesday, Khosrowshahi said the intruders accessed cloud-hosted data stores:

“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.

At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.” reads a CEO’s statement.

“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.”

The situation is more unbelievable, rather than to notify the data breach to customers and law enforcement as is required by the California’s data security breach notification law, the Uber’s chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed. It is a good way to hide the payment, Uber is running a bug bounty program to encourage white hat hackers to responsibly disclose vulnerabilities affecting  its services.

“Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.” reported The New York Times“

“The details of the attack remained hidden until Tuesday. The ride-hailing company said it had discovered the breach as part of a board investigation into Uber’s business practices.”

As a result of the new board investigation Sullivan and one of his lieutenants were ousted.

The CEO explained that such kind of thing will not happen again in the future because Uber put the customers’ security and trust as the pillar of its business.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.” added Khosrowshahi.

The CEO added that forensics experts haven’t found evidence that data were downloaded, anyway the company is monitoring the affected account for fraudulent activities.

Below the list of actions the company has taken in response to the incident:

• I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
• We are individually notifying the drivers whose driver’s license numbers were downloaded.
• We are providing these drivers with free credit monitoring and identity theft protection.
• We are notifying regulatory authorities.
• While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.

The New York Attorney General Eric Schneiderman has also launched an investigation into Uber data breach.

This isn’t the first time the company has experienced security breaches, it suffered the first data breach in May 2014, but the event was discovered on February 2015.

In the attack, the names and driver’s licenses of more than 50,000 of the company’s drivers were compromised.

At the time, the giant announced a data breach that resulted in unauthorized access to the driver partner license numbers of roughly 50,000 of its drivers.

In June 2016, security experts from the Integrity firm have found more than a dozen flaws in the Uber website that could be exploited by hackers to access driver and passenger data. The researchers discovered a total of security 14 issues, four of which cannot be disclosed.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Uber data breach, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]