Uber fell victim to a massive data breach late 2016 that affected some 57 million customers, including both riders and drivers, revealing their names
Uber fell victim to a massive data breach late 2016 that affected some 57 million customers, including both riders and drivers, revealing their names and contact details. While such breaches are not uncommon, Uber’s now dismissed head of security, Joe Sullivan did not report the incident to regulators or to affected customers, but instead was alleged to have paid $100,000 to “hackers” to get rid of the data and keep their mouths shut.
How Uber was Hacked
An unknown number of unidentified attackers accessed a private GitHub coding repository used by one of Uber’s engineer and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company.
From there, the hackers discovered a database of rider and driver information all in unencrypted format. Later, they emailed Uber asking for money, according to the company. The truly scary thing here is that Uber paid a bribe, essentially a ransom to make this breach go away, and they acted as if they were above the law. Uber hired Mandiant, a cybersecurity firm owned by FireEye Inc., to investigate the hack
Potential Repercussions From the data Breach
What happens when the $100,000 paid by Uber to the hackers is exhausted? Almost all hackers will not sleep comfortable knowing that they have 57 Million unique customer data laying around on their computers. Such leaks can worth millions of dollars on black markets because those data are all hackers require to get into your email and from your email, the possibilities are endless and devastating.
Hackers go to your email provider, enter your email, and click “forgot my password.” Your email provider will typically offer to send a text to your phone with a code. As soon as you get that text, the hackers send one, too, pretending to be your email provider asking you to enter the code. Many of us do it, thinking it’s legit. But what you’ve really done is give the hackers access to your email.
New Uber CEO Dara Khosrowshahi told reporters via email that while he “will not make excuses” for the incident, he also believes that “none of this should have happened.” Khosrowshahi, who joined the 50+ Billion dollar company in August, also said that Uber managed to isolate and contain the breach and increased its security measures following the attack, but that it failed in its duty to report.
Sources says that Kalanick was aware of the hack as early as November 2016, just a month after it occurred. The report says the attack occurred because attackers managed to gain login credentials for an Uber Amazon Web Services account using a private GitHub site maintained by Uber engineers.
In a blog post addressing the breach, Khosrowshahi laid out plans for how the company will address the fallout of the incident, including bringing on a former NSA general counsel to provide guidance to Uber’s security teams, and notifying drivers whose license numbers were included in the breach.
Uber will not only notify the drivers, but also offer them credit monitoring and identity theft protection services, though the post also says they haven’t seen “evidence of fraud or misuse tied to the incident.”