Uber has revealed that the company’s database was hacked in October last year, but instead of alerting authorities and warning users about the breach, they instead paid hackers around £75,000 to keep quiet about the hack, and for assurances that the information would be deleted.
Former chief security officer, Joe Sullivan, reportedly made the decision to cover-up the Uber hack, and it was a decision that cost him his job, his deputy’s job, and risked the security of some 56 million people around the world.
Uber criticised
The breach and the way it was handled has created a lot of mixed feelings. There is of course the initial shock, but when reminded of Uber’s recent antics and brushes with authorities over the last couple of years, is this story really that much of a surprise?
At the time of the breach, reportedly troubled co-founder and CEO, Travis Kalanick, was in charge, and the company was involved in all sorts of scandals over drivers’ rights, reportedly sexist work practices, alleged bribes, questionable schemes and of course Uber losing its licence to operate in London.
Even with all the scandals and probes, Uber remained popular. With an estimated six million people in the U.K. using the service, it’s highly likely that most will have had their personal information compromised in the secret data breach.
Breached information may have included:
- Names
- Email addresses
- Phone numbers
Some drivers may also have had their licence plate numbers leaked as well. Uber says that journey history, bank details and dates of birth were not compromised.
Uber denies any misuse of information
Current CEO Dara Khosrowshahi said in a statement that the company does not believe any misuse of data has occurred yet, which is a broad statement. The hackers were asked to sign a Non-Disclosure Agreement to promise they wouldn’t distribute the supposedly deleted information, nor speak about it.
However, with the nature of data, how can Uber be sure the hackers didn’t keep a copy of the stolen information?
Uber has not confirmed how quickly the deal was struck with the hackers; in the entire year between the breach and finally disclosing it, when was the information supposedly deleted?
Perhaps the hackers have already put the data up for sale and criminals have already contacted users and drivers with the stolen contact information. Mobile numbers may have already been sold to telemarketers who make millions of nuisance calls. Phishing emails may have been sent to the email addresses for marketing purposes or perhaps to contain hidden malware that will be released once clicked upon.
Khosrowshahi’s statement bizarrely says: “We do not believe any individual rider needs to take any action.” He followed this up with a strong assertion that he “will not make any exceptions. At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised misuse tied to the incident.”
On the face of it, sounds great; they’ve sorted it.
However, Uber may have failed to comply with legal obligations to disclose the data breach, and doesn’t address the potential risks they may have put their users and drivers at by not warning them about it.
Some have taken to social media to express their disgust at Uber’s response, with one twitter user noting her shock that she only found out about it over media coverage.
Drivers have been offered the usual free-of-charge credit protection monitoring and identity theft protection, but we all know that this kind of offer is often just to make it look like Uber is doing something responsible in response to the breach.
In practice, cybercriminals may have already misused the stolen information or use it years later when the free security monitoring runs out.
Graham Cluley, computer security specialist, said:
“You can ask forgiveness for being hacked, but many people will find it harder to forgive and forget if you deliberately concealed the truth from them.”