Uber is now admitting that they were hacked a year ago and didn’t tell anyone. Data on 57 million riders was stolen, and information on 600,000 drivers was taken as well. Uber paid off the hackers to destroy the data.
Now that this is coming to light, Uber’s Chief Security Officer is out as the fall guy. And they’re bringing in a former general counsel at the NSA to guide their policies going forward, which should raise all sorts of separate concerns.
They’re notifying drivers whose drivers license numbers were taken and doing the usual waving of hands around “free credit monitoring and identity theft protection” which really exists as a business these days so that companies can say they’re doing something after data is stolen.
This is how the hack went down:
No that’s not it. This is it:
Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company.
Here’s the information taken on riders.
Rider information included the names, email addresses and mobile phone numbers related to accounts globally. Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.
And here’s the information taken on drivers:
Driver information included the names, email addresses and mobile phone numbers related to accounts globally. In addition, the driver’s license numbers of around 600,000 drivers in the United States were downloaded. Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were downloaded.
(HT: Doctor of Credit)
One of the dumbest moves a business can make is failing to disclose that it suffered a data breach until long after the breach has been confirmed. Just when you thought Uber couldn’t fall any further….
Yup, “doing the usual waving of hands around ‘free credit monitoring and identity theft protection’ which really exists as a business these days so that companies can say they’re doing something after data is stolen.” Pants wetting funny, Gary! And TOTALLY ACCURATE. Next comes the class action suit we all sign up for that nets us $.79 each. About a penny a minute for the time we waste changing our passwords to something we can’t remember to fit the miscreant’s “new and improved” guidelines.
Makes me feel better about using my CrapOne card (which used to rebate 20%) for Uber and Lyft, though at this point it appears CC data was safe. As for email and telephone info, I get so many robocalls and spam already that I can’t get worked up.
If Uber is to be believed (a tall order for the company, given its history) the incident sounds like no harm, no foul for consumers – though clearly another stain on Uber’s permanent record.
When one pays off a blackmailer to destroy data, how can one possibly trust that the data has been destroyed?
@Burt: That is the million dollar question. 🙂
@Burt the blackmailers come back and say add another zero and we’ll really really delete the date this time.
Gary, have they caught the Uber tip thief girl? I mean, it was on TV nationwide….
The invisible hand of the market will keep this from happening (according to Gary and other Libertarians). However, some of us believe that some enforced government regulation in this area is needed.
@Brett – false, I haven’t ever said that. We have government regulation in this area. Uber admits failing to inform regulators as required. Government gets hacked too, they aren’t good at stopping it. Perhaps the most fruitful area for reform is in legal liability for hacks.
How will the people of London survive without this fine, upstanding corporate citizen?!
@here – those of you who assume your CC info is safe are really amusing me. Let’s look at the details:
–Hackers socially engineer their way into Uber’s codebase
–Hackers use non-encrypted credentials (coding changed this practice in the late 1990s) to get into Uber’s AWS account
–Hackers took some data
–Hackers told Uber about some data they had in possession and demanded money
–Uber gave in and paid the money
–Uber hid the hack
I work in the IT world and use AWS frequently. I seriously doubt Uber tracks ad-hoc db queries and/or file access on those servers. And since the hackers didn’t break into the system all Uber would have seen was that someone logged in using a valid credential. So we have to assume that Uber hid the hack because they actually had no idea what exactly was compromised and they didn’t want to admit that they had no idea. It’s pretty clear that Uber based its data breach assessment on what the hackers told them. And it’s pretty safe to assume that the hackers would have approached Uber with a small set of the stolen data to see what they could milk out of Uber…which would also mean they’d take more sensitive data and sell it to the highest bidder.
Uber appears to have poor coding practices…unencrypted sensitive data sitting in plain text? Sheesh. Sure, go after the former CEO and Security guy for paying off and not fessing up to the hack but why is the CTO not included in the list of problem areas?
Go onto Uber’s web site and see how long it takes you to figure out how to change your password.
There are recent reports from Uber users in Singapore that they were charged for phantom Uber trips that occurred in other faraway countries. Uber is claiming that the incidents are unrelated to the massive data breach… https://www.channelnewsasia.com/news/singapore/uber-s-massive-data-breach-and-singapore-phantom-ride-cases-not-9429016