Skip to main content

Uber Security Chief Is Out after Coverup of Massive Hack Is Revealed

Personal details for some 57 million Uber customers and 600,000 drivers were stolen by hackers over a year ago, the company revealed yesterday. Rather than reporting the incident as required by law, two higher-ups on Uber's security team paid the attackers $100,000 to keep quiet about the breach.

Those two employees, including chief security officer Joe Sullivan, are no longer with the company as of this week, according to CEO Dara Khosrowshahi.

Uber boosted security measures after the breach came to light and has since brought on a cybersecurity consultant to advise on other steps to take going forward, Khosrowshahi said in a blog post yesterday. While Uber said there have been no signs to date that the stolen data has been used for fraudulent purposes, Khosrowshahi said the company is notifying affected drivers and providing them with free credit monitoring and identity theft protection.

Affected riders have also been flagged for additional fraud protection, although they don't need to take any other action beyond regularly monitoring their credit and accounts, the company said.

Latest in a String of Damaging Developments

Long held up as an example of a wildly successful "disruptive" technology company, Uber has been hit by one PR disaster after another over the past year. Reports about widespread sexual harassment and discrimination at the company led founder/CEO Travis Kalanick to resign in June. The company has also faced state and federal investigations related to its use of "Greyball" software to evade regulators, and was told in September that London's transport agency would not renew the company's private hire operator license because it was "not fit and proper."

This week's revelations that the company covered the hack have added to the challenges Khosrowshahi now faces in trying to repair Uber's reputation.

In a blog post yesterday, Khosrowshahi said he only recently learned of the data breach, which occurred in 2016. The hack by two unnamed individuals outside of the company didn't affect corporate systems or infrastructure, he said. But the hack did involve unauthorized access to user data on a third-party cloud service, identified by Bloomberg and other news outlets as Amazon Web Service.

"Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded," Khosrowshahi noted. "However, the individuals were able to download files containing a significant amount of other information..."

That information included the names and license numbers of 600,000 drivers in the U.S., as well as the names, email addresses, and mobile phone numbers of 57 million Uber customers around the world.

"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," Khosrowshahi said. "We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."

'None of This Should Have Happened'

The 2016 data breach was discovered after the board of directors launched an investigation into the actions of Uber's security team, according to a report yesterday in Bloomberg, The law firm commissioned to lead the investigation discovered both the breach and the team's failure to disclose the incident.

"None of this should have happened, and I will not make excuses for it," Khosrowshahi said in his blog post. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

On Twitter today, U.S. security writer Brian Krebs asked what made Uber's $100,000 payout to the hackers different from the ransoms other companies have paid to unlock system data encrypted by ransomware. Several commenters responded by noting that unlike companies hit by ransomware, Uber's business was never interrupted by the breach and that the company failed in its obligation to notify victims and regulators when it discovered the hack.

While a hack is bad enough, covering up such an incident is even worse, U.K. security writer Graham Cluley said yesterday.

"No doubt regulators will also be asking tough questions about why it wasn't informed about the breach until this week," Cluley wrote on his blog. "You can ask forgiveness for being hacked, but many people will find it harder to forgive and forget if you deliberately concealed the truth from them."

Comments

Popular posts from this blog

Windows 10 now on 600 million machines.

Microsoft CEO Satya Nadella told shareholders that Windows 10 has now passed 600 million monthly active users, picking up 100 million since May of this year. This number counts all Windows 10 devices used over a 28-day period. While most of these will be PCs, there are other things in the mix there: a few million Xbox Ones, a few million Windows 10 Mobile phones, and special hardware like the HoloLens and Surface Hub. The exact mix between these categories isn't known, because Microsoft doesn't say. The company's original ambition (and sales pitch to developers) was to have one billion systems running Windows 10 within about three years of the operating system's launch. In July last year, the company acknowledged that it won't hit that target—the original plan called for  50 million or more phone sales a year , which the retreat from the phone market has made impossible. But at the current rate it should still be on track for somewhere in excess of 700 million use...

WZoneLite – A Pretty Cool WooCommerce Amazon Affiliate Plugin .

Everyone wants to make a million dollars by being a blogger. The promise of riches and internet fame is a big draw to doing it for a lot of people, and I’m sorry to say that the reality of being a blogger (even a professional blogger!) is not quite…as financially lucrative as all that. But that’s not to say that it  can’t be –one of the best ways to start your empire is with an Amazon affiliate plugin. For me, the Amazon Associates program has been one of the biggest earners for me over the years. Not only are there CPM ads like Google Adsense (you know, the normal banner ads we all love to hate), but any time someone clicks a link from your site, you get a percentage of  anything  they buy while the token from your site lasts in their browser. If they buy a song, you get a few cents. If they buy a new MacBook Pro and iPhone? You get…a lot more cents. With that in mind, WZoneLite is a  pretty cool WooCommerce Amazon affiliate plugin that syncs everything together s...

Game-changing SEO trends that will dominate 2018.

Changing nature of the rules of the game. As search engines strive to improve the quality of search results, some ranking factors shift shapes, others fall into oblivion, and completely new ones arise out of nowhere. To help you stay ahead of the game in 2018, here’s a list of the most prominent trends that are gaining momentum, with tips on how you can prepare for each. 1. The rise of SERP features Are you assuming a #1 organic ranking is  the  way to get as much traffic as possible? Think again. Increasingly, SERP features (local packs, Knowledge panels, featured snippets and so on) are stealing searchers’ attention and clicks from organic listings. And it’s only fair if you consider the evolution the Google SERP has been through. It has gone all the way from “10 blue links”… … to something that makes you feel like you’re part of a Brazilian carnival. What can you do about it? With the evolution of SERP features, it’s critical that you (a) track your rankings within...