Uber paid hackers $100,000 to cover up massive data breach: CEO

Published November 23, 2017
DARA Khosrowshahi says he learnt about the breach recently.—Reuters
DARA Khosrowshahi says he learnt about the breach recently.—Reuters

WASHINGTON: Uber Techno­logies paid hackers $100,000 to keep secret a massive breach last year that exposed the personal information of about 57 million accounts of the ride-service provider, the company said on Tuesday.

Discovery of the US company’s cover-up of the incident resulted in the firing of two employees responsible for its response to the hack, said Dara Khosrowshahi, who replaced co-founder Travis Kalanick as chief executive in August.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in a blog post.

The breach occurred in Octo­ber last year, but Khosrowshahi said he had learned of it recently.

The hack is another controversy for Uber on top of sexual harassment allegations, a lawsuit alleging trade secret theft and multiple federal criminal probes that culminated in Kalanick’s ouster in June.

The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and licence numbers of 600,000 US drivers, Khosrowshahi added.

Uber passengers need not worry as there was no evidence of fraud, while drivers whose licence numbers had been stolen would be offered free identity theft protection and credit monitoring, Uber said.

Two hackers gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on software code. There, the two people stole Uber’s credentials for a separate cloud-services provider where they were able to download driver and rider data, the company said.

A GitHub spokeswoman said the hack was not the result of a failure of GitHub’s security.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.

“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Bloomberg News first reported the data breach on Tuesday.

The Uber chief said the firm had begun notifying regulators. The New York attorney general has opened an investigation, a spokeswoman said.

Regulators in Australia and the Philippines said on Wednesday they would look into the matter. Uber is seeking to mend fences in Asia after having run-ins with authorities, and is negotiating with a consortium led by Japan’s SoftBank Group for fresh investment. SoftBank declined to comment.

Uber said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week because of their role in the handling of the incident. Sullivan, formerly the top security official at Facebook and a federal prosecutor, served as both security chief and deputy general counsel for Uber.

Kalanick, the former Uber chief, learned of the breach in November last year, a month after it took place, a source familiar with the matter said. At the time, the company was negotiating with the US Federal Trade Commission over the handling of consumer data.

A board committee had investigated the breach and concluded that neither Kalanick nor Salle Yoo, Uber’s general counsel at the time, were involved in the cover-up, another person familiar with the issue said.

Uber said on Tuesday it was obliged to report the theft of the drivers’ licence information and had failed to do so.

Kalanick, through a spokesman, declined to comment. The former CEO remains on the Uber board of directors, and Khosrowshahi has said he consults him regularly.

Crime pays

Although payments to hackers are rarely publicly discussed, US Federal Bureau of Investigation officials and private security companies have said an increasing number of companies are paying criminal hackers to recover stolen data.

“The economics of being a bad guy on the internet today are incredibly favourable,” said Oren Falkowitz, co-founder of California-based cyber security company Area 1 Security.

Uber has a history of failing to protect driver and passenger data. Hackers previously stole information about Uber drivers and the company acknowledged in 2014 that its employees had used a software tool called “God View” to track passengers.

Dara Khosrowshahi, the new CEO, said on Tuesday he had hired Matt Olsen, former general counsel of the US National Security Agency, to restructure the company’s security teams and processes.

The company also hired Mandiant, a cybersecurity firm owned by FireEye, to investigate the breach.

The new chief executive has travelled the world since replacing Kalanick to deliver a message that Uber has matured from its earlier days as a rule-flouting startup.

Published in Dawn, November 23rd, 2017

Follow Dawn Business on Twitter, LinkedIn, Instagram and Facebook for insights on business, finance and tech from Pakistan and across the world.

Opinion

Editorial

Smog hazard
Updated 05 Nov, 2024

Smog hazard

The catastrophe unfolding in Lahore is a product of authorities’ repeated failure to recognise environmental impact of rapid urbanisation.
Monetary policy
05 Nov, 2024

Monetary policy

IN an aggressive move, the State Bank on Monday reduced its key policy rate by a hefty 250bps to 15pc. This is the...
Cultural power
05 Nov, 2024

Cultural power

AS vital modes of communication, art and culture have the power to overcome social and international barriers....
Disregarding CCI
Updated 04 Nov, 2024

Disregarding CCI

The failure to regularly convene CCI meetings means that the process of democratic decision-making is falling apart.
Defeating TB
04 Nov, 2024

Defeating TB

CONSIDERING the fact that Pakistan has the fifth highest burden of tuberculosis in the world as per the World Health...
Ceasefire charade
Updated 04 Nov, 2024

Ceasefire charade

The US talks of peace, while simultaneously arming and funding their Israeli allies, are doomed to fail, and are little more than a charade.