Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

  • Getty
  • Business Impact

    Uber Paid Off Hackers to Hide Massive Data Breach

    The latest scandal to engulf the transportation giant could be its worst yet.

    Uber has taken plenty of wrong turns over the past few years. But the latest is certainly one of the most damaging. Bloomberg has revealed that the company concealed for more than a year a massive data breach that exposed sensitive records of millions of drivers and customers. The breach, which occurred in October 2016, was reportedly hidden by Uber’s chief security officer, Joe Sullivan, and others. Sullivan and one of his deputies have been ousted by the company. Travis Kalanick, the firm’s cofounder and former CEO, was made aware of the breach not long after it happened.

    In a press release published shortly after Bloomberg’s story appeared, Uber’s current CEO, Dara Khosrowshahi, said hackers had been able to download files containing a significant amount of information, including the names and driver’s license numbers of around 600,000 drivers in the United States, as well as personal information such as names, e-mail addresses, and mobile phone numbers of 57 million Uber users around the world. The company says outside forensic experts it called in to analyze the breach haven’t seen any indication that credit card numbers, bank account details, and Social Security numbers have been downloaded. But it didn’t say that such details hadn’t been breached.

    As with previous mega-hacks, more details will emerge in coming days and weeks. But there are already pressing questions that demand swift answers. Who exactly within Uber’s staff knew about the hack after it occurred, and how many people were actively involved in the cover-up, which involved paying the hackers $100,000 to delete data and keep the breach quiet? Was anyone on Uber’s board told about the intrusion at the time? If not, why not? And why did Uber fail to inform regulators swiftly about the hack?

    Bloomberg’s report says that when the breach occurred, Uber was already talking with U.S. regulators about separate privacy violations and had just settled a case with the Federal Trade Commission over mishandling of consumer data. It also reported last month that the company’s board had launched an investigation into the activities of Sullivan’s security team. It was the outside law firm leading that effort that uncovered the hack and the cover-up.

    The breach raises big questions about the state of Uber’s security practices. According to Bloomberg, the intruders were able to find login credentials from Uber engineers on Github, a widely used code repository. These gave them access to an Amazon cloud computing server holding the data. That’s a startling breach of security fundamentals. It’s also astonishing that such large amounts of sensitive personal data were apparently being held on a third-party service without being encrypted.

    Uber’s now scrambling to limit the damage to its reputation. The company has hired a former general counsel for the NSA to help it rethink its security practices and has also retained Mandiant, a cybersecurity firm that has dealt with the fallout from many high-profile breaches. Khosrowshahi only recently learned about the breach. “None of this should have happened,” he said in the release, “and I will not make excuses for it.” That’s just as well, because the behavior and practices that led to this fiasco are inexcusable.

    Hear more about security from the experts at the EmTech Digital Conference, March 26-27, 2018 in San Francisco.

    Learn more and register
    More from Business Impact

    How technology advances are changing the economy and providing new opportunities in many industries.

    Want more award-winning journalism? Subscribe to Insider Plus.
    • Insider Plus {! insider.prices.plus !}*

      {! insider.display.menuOptionsLabel !}

      Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

      See details+

      What's Included

      Unlimited 24/7 access to MIT Technology Review’s website

      The Download: our daily newsletter of what's important in technology and innovation

      Bimonthly print magazine (6 issues per year)

      Bimonthly digital/PDF edition

      Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

      Special interest publications

      Discount to MIT Technology Review events

      Special discounts to select partner offerings

      Ad-free web experience

    /3
    You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.