Uber hid stolen customer data by paying off hackers
Former Uber CEO Travis Kalanick was aware of the hack but failed to publicise it to its customers
Uber is making headlines again but this time the ride-hailing service suffered a massive cyber-attack in October 2016 but failed to notify its customers.
A report by Bloomberg said that Uber had not only failed to notify its 57 million customer base that their data had been stolen, but chose to cover up the ordeal by paying the cybercriminals to delete the data. Bloomberg further disclosed that former CEO Travis Kalanick was aware of the situation, as well as chief security offer Joe Sullivan and his subordinates.
Uber has now released a statement revealing it had paid the hackers $100,000 to delete the data and stay quiet.
Uber's current CEO Dara Khosrowshahi, who replaced Kalanick earlier this year, said: "I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure."
Khosrowshahi cleared what data had been compromised but assured that Uber's forensic experts found no evidence that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of births had been stolen. However he said that the names and driver licenses of around 600,000 in the US has been downloaded, as well some select information of customers, such as mobile phone numbers and email addresses.
Khosrowshahi further explained the steps taken to resolve the situation. "At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."
Vincent Weafer, vice president for McAfee Labs, said: "This is yet another example of a fairly significant data breach, the sort of which is increasingly occurring across the industry. It is exposing personal information, email addresses, drivers' addresses in this case, contact information that can be used to more effectively customise attacks on individuals and organisations.
"It appears the hack was successful because credentials that were used to access Github data or code were similar to those used to access Uber's own data repository containing the personal information. It shows how attackers are trying to use credentials as a means of gaining entry inside organisations. Once a hacker has the credentials, he can move around inside an organisation without detection.
"This is a good example of why people need to be very careful of how credentials are used and managed. We know attackers have been trying to track down administrator credentials--the keys to the kingdom--that allow them to move around within an organisation. Keeping those credentials separate and managing them should be a serious matter."