The two men responsible for accessing Uber’s confidential corporate databases through Amazon Web Services using stolen credentials pleaded guilty on Wednesday, 30 October 2019.
- In 2016, Brandon Charles Glover and Vasile Mereacre demanded that Uber pay a ransom in exchange for assurances they would delete the data of 57 million riders and drivers.
- The hackers stole the full names, phone numbers, email addresses, and the location where users signed up for the service.
- 3.7 million drivers were affected, having their weekly pay, trip summaries, and driver’s license
- Uber did not disclose the breach when it occurred. Rather, Uber paid the hackers through its ‘bug bounty’ program – designed to financially reward hackers for discovering and disclosing flaws with its software.
US attorney: signing of NDA “extraordinary”
On October 31st, it was revealed that Uber had the two hackers sign non-disclosure agreements in exchange for payment through the ‘bug bounty’ program and a promise that the data would not be released.
Soon after paying the ransom, Uber employees confronted the two hackers in-person and had them sign non-disclosure agreements. The US Attorney for Northern California Dave Anderson said, “I can’t think of another case that our office has handled that has that dimension to it. This case is extraordinary in that regard.”
The use of the ‘bug bounty’ program, in this case, was also unprecedented. the UK’s Information Commissioner’s Office wrote that while ‘bug bounty’ programs are common, this case differs from the norm. Normally, so-called ‘white-hat hackers’ discover and disclose the vulnerability. In this case, the hackers exploited the vulnerability and held the company for ransom.
The company also failed to disclose the breach to its customers and only began monitoring accounts for fraud 12 months after the breach.
Although the two hackers responsible promised to delete the data, it is impossible to know what happened to the stolen data.
We didn't catch any suspicious activity under this email address.
We've detected 5 instances of suspicious activity with this email address.
... analysing data ...
How to protect yourself
While the Uber breach eventually came to light, it highlights a growing problem – companies do not want to expose that your data has been compromised.
In order to mitigate this, Create complex passwords, use multi-factor authentication, shop with a credit card to avoid liability for fraudulent charges, watch for fraud, set up fraud alerts, and set up account alerts for your debit and credit cards.