Uber is hacked, covers it up for over a year, pays the hackers US$100,000 to delete the data and keep things quiet. What else could it have done wrong. Not much

November 22, 2017 |

Uber, like many modern disrupting businesses, relies on data.  Lots of it to make its app effective.  In October 2016 Uber suffered a disastrous data breach, affecting the personal information of 57 million customers and drivers.  The hackers stole names, email addresses, phone numbers as well as the names and driver licences of 600,000 drivers in the US alone.  That can make up a treasure trove of data that can be used in identity theft.  Uber says that location data, credit card numbers, bank account details, social security numbers and birth dates were not compromised.  Or at least that is what it says.  Uber’s credibility has taken a hit.

The story has been picked up by The Wall Street Journal, the Fairfax press, Bloomberg and the Guardian (to name but a few).

Hours after the notice of the breach the New York Attorney General has opened an investigation and Uber is being sued for negligence.

The nature of the breach was fairly rudimentory.  Hackers obtained login credentials to access data stored on Uber’s Amazon Web Services Account.  The data, it would appear, was not encrypted.  That is a truly basic mistake.  It was not even salted (partially obscured to outsiders).  I

After the hack was discovered Uber did pretty much the opposite of everything that should be done:

  1. it sought to cover up the breach.
  2. it failed to advise people whose personal information had been stolen that their data had been compromised;
  3. it sought to pay off the hackers and ask them to delete the stolen files. The payment of ransom happens but usually in isolated ransomware attacks.  The payment of ransom in this case bespeaks witlessness on the part of Uber management.  It is a dreadful and ineffective practice.

The enormity of the personal information obtained highlights how modern tech based businesses rely on many terabytes of data to survive. The failure to maintain proper data security means that hacks can result in huge losses of data.  Based on the information to date there has been a chronic lack of investment in cyber security to protect its supply chain.  That is not uncommon with start ups and app developers.  But Uber is a huge operation.

There is a lot more string to run out in this story.  There are very few up sides for Uber.  There should be very little sympathy for it.  It took a bad situation and made it much, much worse.

 

Leave a Reply