Uber Hid 57-Million User Data Breach For Over a Year

By now, the name Uber has become practically synonymous with scandal. But this time the company has outdone itself, building a Jenga-style tower of scandals on top of scandals that has only now come crashing down. Not only did the ridesharing service lose control of 57 million people’s private information, it also hid that massive breach for more than a year, a cover-up that potentially defied data breach disclosure laws. Uber may have even actively deceived Federal Trade Commission investigators who were already looking into the company for distinct, earlier data breach.

On Tuesday, Uber revealed in a statement from newly installed CEO Dara Khosrowshahi that hackers stole a trover of personal data from the company’s network in October 2016, including the names and driver’s license information of 600,000 drivers, and worse, the names, email addresses, and phone numbers of 57 million Uber users.

As bad as that data debacle sounds, Uber’s response may end up doing the most damage to the company’s relationship with users, and perhaps even exposed it to criminal charges against executives, according to those who have followed the company’s ongoing FTC woes. According to Bloomberg, which originally broke the news of the breach, Uber paid a $100,000 ransom to its hackers to keep the breach quiet and delete the data they’d stolen. It then failed to disclose the attack to the public—potentially violating breach disclosure laws in many of the states where its users reside—and also kept the data theft secret from the FTC.

“If Uber knew and covered it up and didn’t tell the FTC, that leads to all kinds of problems, including even potentially criminal liability,” says William McGeveran, a data-privacy focused law professor at the University of Minnesota Law School. “If that’s all true, and that’s a bunch of ifs, that could mean false statements to investigators. You cannot lie to investigators in the process of reaching a settlement with them.”

web
web link
web site
weblink
webpage
website
website link
websites
what do you think
what google did to me
what is it worth
why not check here
why not find out more
why not look here
why not try here
why not try these out
why not try this out
you can check here
you can find out more
you can look here
you can try here
you can try these out
you can try this out
you could check here
you could look here
you could try here
you could try these out
you could try this out
your input here
have a peek at this web-site
have a peek here
Check This Out
this contact form
his comment is here
weblink
check over here
have a peek at these guys
check my blog
news
More about the author
click site
navigate to this website
my review here
get redirected here
useful reference
this page
Get More Info
see here
this website
great post to read
my company
imp source
click to read more
find more info
see it here
Homepage
a fantastic read
find this
Bonuses
read this article
click here now
browse this site
check here
original site
my response
pop over to these guys
my site
dig this
check this link right here now
his explanation
why not try these out
more info here
official site
look at this site
check it out
visit
click for more info
check these guys out
view publisher site
Get More Information
you can try this out
see this
learn this here now
directory
why not find out more
navigate to these guys
see this here
check my site

The Hack

According to Bloomberg, Uber’s 2016 breach occurred when hackers discovered that the company’s developers had published code that included their usernames and passwords on a private account of the software repository Github. Those credentials gave the hackers immediate access to the developers’ privileged accounts on Uber’s network, and with it, access to sensitive Uber servers hosted on Amazon’s servers, including the rider and driver data they stole.

While it’s not clear how the hackers accessed the private Github account, the initial mistake of sharing credentials in Github code is hardly unique, says Jeremiah Grossman, a web security researcher and chief security strategist at security firm SentinelOne. Programmers frequently add credentials to code to allow it automated access to privileged data or services, and then fail to restrict how and where they share that credential-laden software.

“This is all too common on Github. It’s not a forgiving environment,” says Grossman. He’s far more shocked by the reports of Uber’s subsequent coverup. “Everyone makes mistakes. It’s how you respond to those mistakes that gets you in trouble.”

Who’s Affected

Uber’s count of 57 million users covers a significant swath of its total user base, which reached 40 million monthly users last year. The company hasn’t notified affected users, writing in its statement that it’s “seen no evidence of fraud or misuse tied to the incident,” and that it’s flagged the affected accounts for additional protection. As for the 600,000 drivers whose information was included in the breach, Uber says it’s contacting them now, and offering free credit monitoring and identity theft protection.

How Serious Is This?

Mass spills of names, phone numbers, and email addresses represent valuable data for scammers and spammers, who can combine those data points with other data leaks for identity theft, or use them immediately for phishing. The more sensitive driver data that leaked may offer even more useful private information for fraudsters to exploit. All of it contributes to the dreary, steady erosion of the average person’s control of their personal information.

But it’s Uber, not the average user whose data it spilled, that may face the most severe and immediate consequences. The company has already fired its chief security officer, Joe Sullivan, who previously led security at Facebook, and before that worked as a federal prosecutor. By failing to publicly disclose the breach for over a year, the company has likely violated breach disclosure laws, and should be bracing for hefty fines in many states where its users live, as well as its home state of California, says the University of Minnesota Law School’s McGeveran. (In statements on Twitter embedded above, former FTC attorney Whitney Merrill echoed that interpretation of those breach disclosure laws.) “I would not be surprised to see states pursuing Uber on that basis,” McGeveran says.

Former FTC attorney Whitney Merrill echoed that interpretation Tuesday on Twitter:

If the cover-up included making false statements to the FTC during its investigation of the 2014 breach—even though it was a separate incident—that could have even more dire consequences. Making false statements to the commission’s investigators, McGeveran points out, is a federal criminal offense. “This is not just a casual chat over a cup of tea. it’s a formalized investigative procedure,” McGeveran says. “They’re already being asked investigative questions by a government official. They not only know about the breach, but they’re allegedly paying hackers to cover it up. They presumably omit this 57 million person breach from their disclosure to the FTC.”

“If all of that is true,” McGeveran reiterates, “that’s huge.”

Leave a Reply

Your email address will not be published. Required fields are marked *