Uber Paid $100K Ransom and Hid 57-Million User Data Breach For Over a Year

[audreyh1]

This really blew my mind! Wow!

So - Uber pays hackers $100K to supposedly delete stolen data (right!) and not tell anyone about it. Oh yeah - and forget letting their customers, drivers, or authorities know. What kind of mentality does that company have?!?!?

They tracked down the hackers and made them sign NDAs instead of turning them over to authorities?!?!?

On Tuesday, Uber revealed in a statement from newly installed CEO Dara Khosrowshahi that hackers stole a trover of personal data from the company's network in October 2016, including the names and driver's license information of 600,000 drivers, and worse, the names, email addresses, and phone numbers of 57 million Uber users.

As bad as that data debacle sounds, Uber's response may end up doing the most damage to the company's relationship with users, and perhaps even exposed it to criminal charges against executives, according to those who have followed the company's ongoing FTC woes. According to Bloomberg, which originally broke the news of the breach, Uber paid a $100,000 ransom to its hackers to keep the breach quiet and delete the data they'd stolen. It then failed to disclose the attack to the public—potentially violating breach disclosure laws in many of the states where its users reside—and also kept the data theft secret from the FTC.

https://www.wired.com/story/uber-paid-off-hackers-to-hide-a-57-million-user-data-breach/

Also

The two hackers stole data about the company’s riders and drivers — including phone numbers, email addresses and names — from a third-party server and then approached Uber and demanded $100,000 to delete their copy of the data, the employees said.

Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.

https://www.nytimes.com/2017/11/21/technology/uber-hack.html?_r=0

 

[LOL!]

Nowadays I assume that many of the companies that I have a relationship with have done the same thing. If one believes that their information is safe, then they are totally naive.

 

[Sunset]

Everyone knows criminals will obey a NDA. After all it's legally binding

 

[audreyh1]

Everyone knows criminals will obey a NDA. After all it's legally binding

Yeah - my reaction!

 

[CoolRich59]

According to Bloomberg, which originally broke the news of the breach, Uber paid a $100,000 ransom to its hackers to keep the breach quiet and delete the data they'd stolen. It then failed to disclose the attack to the public—[-]potentially[/-] violating breach disclosure laws in many of the states where its users reside—and also kept the data theft secret from the FTC.

Nope, not *potentially*. Unless there are other contrary facts, this is a big "no no".

I suspect the regulatory fines, lawsuits, and lost customer is going to cost them uber bucks.

 

[cathy63]

California was one of the first states to enact a law requiring disclosure of data breaches. It's mind boggling that a tech company headquartered in the state doesn't know that, if only because everyone who works there has gotten letters from other companies who've had similar events. Did they all think those other companies were just notifying them to be nice?

 

[kgtest]

I still sometimes wonder how they remain in business...I guess all the drunk college kids need to get around somehow. We used taxi's when I was doing damage.

 

[audreyh1]

I still sometimes wonder how they remain in business...I guess all the drunk college kids need to get around somehow. We used taxi's when I was doing damage.

Me too!

So who thinks the hackers actually deleted the data?

 

[travelover]

...........They tracked down the hackers and made them sign NDAs instead of turning them over to authorities?!?!?

Wow, it seems like for half as much they could have just make the hackers "disappear".

 

[audreyh1]

Wow, it seems like for half as much they could have just make the hackers "disappear".

I know!!!

So bizarre!

 

[Chuckanut]

Whose worse? The criminal hackers or the companies that keep it secret?

 

[Totoro]

Uber is well known as being one of the most ethically challenged 'tech' companies out there. Sexual harassment, intimidation, actively sabotaging competition and now this .. it's just par for the course.

What keeps surprising me is how they keep raising all that money while in essence it's still little more than a taxi app with a vague self-driving car promise. Guess I have a lack of imagination.