The Daily Swig Web security digest

Bad news travels slowly: Uber admits to 13-month-old hack affecting 57m account holders

James Walker | 22 November 2017 at 16:40

Ride-hailing company paid hackers to keep über-breach quiet.

A hack last year against Uber Technologies led to the personal details of 57 million users being compromised, the company’s CEO Dara Khosrowshahi has confirmed.

In a lengthy post published on the tech firm’s website yesterday, the Uber boss said two individuals outside the company had “inappropriately accessed user data stored on a third-party cloud-based service” in October 2016.

Khosrowshahi said the individuals were able to download files containing a significant amount of information, including the names, email addresses, and mobile phone numbers of 57 million Uber users, and the names and driver’s license numbers of around 600,000 Uber drivers in the US.

The hack is understood to have taken place after the attackers obtained credentials from a private GitHub site used by Uber’s software developers, which were used to access data stored on an Amazon Web Services (AWS) account.

Khosrowshahi, who took the Uber helm in August, said there was no evidence the hackers obtained customer credit card, bank account, or social security numbers.

However, this is unlikely to allay the concerns of the millions of affected Uber customers, particularly after it was revealed by Bloomberg that the San Francisco tech firm paid the hackers $100,000 to delete the data and remain tight-lipped over the breach.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” the CEO said. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”

While Khosrowshahi underlined the need for Uber to be “honest and transparent”, the company has already come under fire from both sides of the Atlantic for its failure to immediately inform its account holders of the hack.

“By choosing not to disclose this massive data breach and attempting to mitigate the breach by paying the hackers to destroy the data, Uber has essentially rolled the dice with its customers’ and drivers’ personal identities,” said Cari Campen Laufenberg, a partner at US law firm Keller Rohrback.

“What’s more, it has done so for more than a year – denying these victims the crucial opportunity to take timely steps to mitigate the disclosure of their private information.”

Just hours after the company’s announcement, reports of a class-action lawsuit emerged from California, while the Associated Press said New York’s State Attorney General Eric Schneiderman has opened an investigation into the hack.

Issuing a statement in the wake of the breach announcement, James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner’s Office, said: “Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.

“Current British law carries a maximum penalty of £500,000 ($662,000) for failing to notify users and regulators when data breaches occur.”

Although the Uber boss said the company has seen no evidence of fraud or misuse tied to the incident, customers have been urged to monitor their credit and accounts for any issues.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” said Khosrowshahi. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Founded in 2009, Uber has grown to become the world’s best-known ride-hailing app. And while the shareconomy pioneer has been embroiled in numerous controversies and legal disputes over recent years, the firm has enjoyed a strong reputation among the security community for maintaining an active bug bounty program that bestows healthy rewards on those who find issues with its platform.