Uber's reputation was pretty much in the toilet before last week's raft of more bad news and worse decisions.
As Bloomberg reported on November 21st, Uber's data breach took place in October of 2016 and involved the personal data of 57 million customers and drivers. The company not only concealed the breach for more than a year, it paid the hackers $100,000 to delete the data (seriously, it trusted hackers?) and to keep quiet about the breach.
The compromised data included names, e-mail addresses and phone numbers of Uber riders. The personal information of about 7 million drivers was accessed as well.
How did the breach occur? According to Bloomberg, "Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company."
Chief Security Officer Joe Sullivan and a lawyer who reported to him are now gone (no surprise). An outside law firm was commissioned by Uber's Board to investigate and discovered both the hack and the failure to disclose the breach as required by state data breach notification laws.
Various state Attorney Generals are investigating and law suits have already been filed by consumers. Throw those on top of the dozens of unrelated lawsuits pending against Uber plus several criminal investigations and the stench of misconduct is ripe. Uber has been in so much legal trouble for so long – the pile of dirty laundry just continues to mount.
Dara Khosrowshahi, Uber's new CEO, seems to be trying to chart a new path. He wrote a description of the beach published on Uber's website. Information for those who may be impacted by the breach may be found here. It was encouraging that Mandiant, a division of FireEye, did the investigation. According to Uber, it has seen "no evidence of fraud or misuse tied to the incident." But then, that is the canned response of many breached companies.
I hope the new CEO means it when he says, "We are changing the way we do business."
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology