Uber Covered Up Massive Security Breach For Over A Year – 57 million drivers and users data stolen
They Kept Quiet For Over A Year
Uber has just revealed that they suffered a massive security breach towards the end of 2016 in which information concerning 57 million Uber drivers and riders from around the world had been stolen and had kept it quiet until now. In a shocking statement from new Uber Technologies Inc CEO, Dara Khosrowshahi, he said that they were hacked by two individuals who had illegally accessed their data base and stole names and driver’s license numbers of around 600,000 drivers in the United States, as well as some other personal information which include the names, e-mail addresses and mobile phone numbers from other 57 million Uber users from across the globe (high chance this includes us folks in Malaysia too).
However, Khosrowshahi assured that the stolen data does not include other more sensitive information such as users’ credit card information, bank account information or dates of birth.
According to a report by Bloomberg, who first broke the story about Uber’s massive security breach, a sum of 100,000 USD was paid to the hackers by Uber to destroy the stolen data and to keep the security breach under wraps. Due to their involvement in the cover up, Uber’s Chief Security Officer Joe Sullivan and one of his deputies, lawyer Craig Clark have been given the sack by the company.
In his statement, Khosrowshahi was very critical of Uber’s decision to keep mum regarding this serious security breach.
None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.
This whole controversy comes hot on the heels of another high-profile incident in the resignation of former CEO and co-founder Travis Kalanick last June following allegations of him being instrumental regarding the company’s workplace culture which allowed rampant sexual harassment of its female employees as well as encouraging its workers to push legal boundaries.
Here’s how it all went down. According to the report by Bloomberg, the hackers obtained the information by using login credentials obtained they had stolen from a private GitHub coding site used by Uber software engineers. Using the stolen login credentials they discovered archived driver and user information stored inside Uber’s Amazon Web Services account. Soon after that, they e-mailed Uber and demanded money for the stolen data.
Kalanick, Uber’s former CEO discovered this breach a month after it happened but kept quite because during that particular period of time, the company had just settled a lawsuit regarding data security disclosures (ironically) with the New York attorney general. They were also in discussions with the US Federal Trade commission about their handling of consumer data (again, ironic).
Vyacheslav Zakorzhevsky, Head of Anti-Malware Research Team at Kaspersky Lab said that this latest cyberattack shows that attacks are focused more on large corporations and if it’s successul, will only escalate with time.
When a data breach like this occurs, it is important to remember and never underestimate the consequences associated with personal information that has fallen into the hands of intruders. The data accessed can be used for further attacks against users, by spreading malware or any type of cyberespionage. For example, attackers can sell a stolen database with personal information on the underground market, where there is high demand.
This year we have already seen increased activity in cybercriminals targeting popular ride-sharing mobile apps . Such services will remain an appealing target, due to the valuable credentials and sensitive data they hold. Access to this information could lead to greater damage for users but high benefits for criminals.
We therefore strongly recommend that users be attentive to incoming messages sent by email or SMS, do not click on suspicious links, and avoid installation of apps from unknown sources. Kaspersky Lab also advises the use of a reliable security solution.
Khosrowshahi said that they will be directly notifying the drivers who’s driver’s licenses were downloaded and will be providing these drivers complimentary credit monitoring and identity theft protection services.
Pokdepinion: This is just sick. Sick and hugely unacceptable. Kudos to Dara Khosrowshahi for deciding to come clean about all this but the fact that Uber kept this from the public for MORE THAN A YEAR is just disrespectful and just plain irresponsible. The public’s trust in them will surely take a hit and I really don’t how they can fully recover from this massive debacle.