Area 1 Security talks with The Sun about Uber Hack 11/22/17
Uber PAID hackers to keep quiet about stealing the personal details of 57m customers
Uber reportedly paid the cyber crims £75,000 to delete the data and keep quiet about the attack
By Maryse Godden
22nd November 2017, 10:25 am
Updated: 22nd November 2017, 12:20 pm
UBER paid hackers £75,000 “hush money” to keep quiet about an astonishing cyber attack which affected 57 million customers and drivers.
Two hackers managed to access millions of names, email addresses and mobile phone numbers of the app’s users around the world in 2016, Uber’s boss have admitted.
The computer experts also managed to download the names and driver’s licence numbers of around 600,000 drivers in the US.
Uber has admitted paying the hackers $100,000 to delete the data and keep quiet about the cyber attack, Bloomberg reported.
The cover-up deal raises “huge concerns” about the hail-and-ride firm’s data policies and ethics, Britain’s data protection regulator said today.
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” said James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner’s Office.
The maximum penalty is £500,000 under current British law for organisations that fail to notify affected users and regulators when data breaches occur.
The company said it had fired two senior security officials involved in the cover-up
In a statement Ubers chief executive Dara Khosrowshahi said: “None of this should have happened, and I will not make excuses for it.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Over 500,000 people sign petition backing Uber in London
Khosrowshahi said the data was stolen from a “third-party cloud-based service that we use”.
He added there had been “no indication” trip history, credit card details, bank account numbers or dates of birth were downloaded by the hackers.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” he said.
The hackers gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on software code.
There, the two people stole Uber’s credentials for a separate cloud-services provider where they were able to download driver and rider data, the company said.
A GitHub spokeswoman said the hack was not the result of a failure of its security.
Drivers have now been offered free credit monitoring protection, but customers who have been affected will not be given the same. Uber has set up a website for users who have been affected.
Although payments to hackers are rarely publicly discussed, FBI officials and private security companies told Reuters that an increasing number of companies are paying cyber crooks to recover stolen data.
“The economics of being a bad guy on the internet today are incredibly favourable,” said Oren Falkowitz, co-founder of California-based cyber security company Area 1 Security.
Uber has a history of failing to protect driver and passenger data.
Hackers previously stole information about Uber drivers and the company acknowledged in 2014 that its employees had used a software tool called “God View” to track passengers.