Uber hid a powerful cyber attack with data theft 57 million customers and drivers

This week, the management of the Uber service announced that the cybercriminals had stolen the data of 57 million drivers and customers of the company. This is the number of accounts that have been compromised. Hacking was made not now, but about a year ago. The attackers who hacked into the company's servers also received $ 100,000 from it.

This, as it turned out , was a kind of deal between the company's security service and the burglars. The transaction was conducted by Joe Sullivan, the head of Uber’s network security department, and ex-CEO Travis Kalanick was looking after its execution. Details of this story were revealed by Uber employees who wished to remain anonymous.

It is worth noting that the head of the security department of the company was dismissed in June.
')
As for the attackers, there were only two of them. They stole a large amount of data about the drivers and customers of the company, including mobile phone numbers, e-mail and names. Theft was carried out from a server owned by a third party. After hacking, hackers demanded $ 100,000 in order to save the information on the server, and not to delete it.

The cyber attack was as follows: hackers initially gained access to the GitHub service, which Uber programmers work with. Then, by uploading the credentials of the company's employees, the attackers were able to log into Uber accounts at Amazon Web Services. This service from Amazon handled the computational tasks of the transport service. And already there the hackers received an archive with data on the company's customers and drivers.

The company did not just fulfill the demands of the criminals, but went even further. She tracked down the cybercriminals, but instead of punishment, Uber representatives decided to force the non-disclosure agreement to sign the crackers. Well, the "reward" was carried out according to the documents, as the allocation of funds to participants of the bounty program. Allegedly, these participants found the vulnerability of one of the services and reported it to Uber. Actually, this was almost the case, except for the fact that the Uber servers were hacked.

The terms of the deal would have remained unknown if the board of directors had not begun an investigation into the business practices used in Uber.

“I recently learned that at the end of 2016 we learned that two people outside the company were not working properly with user data placed on the third-party cloud storage that we use. This incident did not violate our corporate systems or infrastructure, ” wrote the new Uber CEO Dara Hosrovshahi.

In principle, hacking the company's servers cannot be considered something out of the ordinary. Prior to Uber, attackers hacked the protection of Yahoo , Equifax, and many other companies. The consequences in many cases were much sadder than what happened with Uber.

But, hiding the fact of hacking, the management of the service violated several US laws at once, as well as framed drivers and customers. Reputational damage can be very high. So far, the company's capitalization is estimated at $ 70 billion, but this amount may be significantly lower if the investigation regarding Uber continues. Now law enforcement officers in New York are planning to begin to conduct active detective work. The investigation has already begun, and most likely, it will not be finished soon.

“None of this should have happened, and I’m not looking for excuses. Although I can not cut the past, I can say that now we will draw conclusions from mistakes. We are changing the way we do business, and what happened is one of the reasons that prompted us to do this, ” says Khosrovshahi.

A representative of Kalanika declined to comment. However, sooner or later he will still have to answer questions from journalists and business partners. When he was a company manager, Kalanik’s work style raised many questions. He was even suing one of the company's first investors. This trial was recently closed.

Hacking Uber servers is a big reputational problem for Sullivan, who is responsible for the company's information security for several years. He became the head of the company's information security department in 2015. Prior to that, Joe Sullivan worked in a similar position for seven years.

Interestingly, Sullivan previously worked as a lawyer, studying the subtleties of the legislation of the information sphere at the University of Miami. Initially, the accession of Sullivan to Uber was considered as an excellent solution. The number of drivers and customers grew, so the concern of everyone involved with Uber regarding the protection of personal information grew.

After Sullivan left, another high-ranking manager left , responsible for the legal nuances of Uber’s work. This is Craig Clarke.

The company's decision to pay burglars has caused a number of questions from cybersecurity experts. The fact is that paying intruders is considered the last option, the worst of all. “Companies that pay intruders support cybercrime. Good guys create a market for bad guys. By paying the bad guys money, we allow teens to engage in burglary for fun, ”said Kevin Bymont, an information security expert from Britain.

For Uber, all of this is a very undesirable situation that could damage the company when entering the IPO in 2019. This stage is so important for the company that it is even called “Uber 2.0”.



Generally speaking, the current moment is the most inappropriate to open a case with burglars. The fact is that right now Uber is trying to complete a deal with the Japanese company SoftBank Group Corp. The essence of the deal is that the Japanese are investing $ 10 billion in Uber, receiving 14% of the transport company. Last month, the preliminary terms of the deal were announced, which, however, may still change.

One of the questions that have emerged now is whether Softbank can demand that Uber understate requirements and reduce the amount for a share in the company. A source close to the parties to the transaction says that the company is not going to refuse the transaction, but plans to get more favorable terms. What exactly the Japanese will demand is unclear.

Another question is what will happen to Kalanik in the near future. He did not quit his post as head of Uber, he had to leave his post due to pressure from investors who were unhappy with the style of his leadership. Kalanik is still a member of the board of directors and a significant shareholder.

Uber will deal with Britain, Australia and the Philippines at the same time. This is, first of all, the licensing of the company in these countries. Canada will also ask the management a few official questions about the incident, but the authorities of this country will not begin an investigation.

Regulators from the United States declared "close attention" for the development of the situation. Most likely, some states will still begin an investigation after more details are revealed.

In the US, Uber will have to deal with at least two class actions that were filed by platform users after it became known about the hack. Uber, after all this, only had to answer that "the company cooperates with the FTC and the authorities of several states to discuss hacking and subsequent actions."

Craig Clark, who was already mentioned above, was fired precisely because he did not fulfill his direct duties. The board of directors has now begun to check the actions of Sullivan and his team, which has hidden the hacking. It is already known that the special accident investigation committee, formed by the Uber board of directors, found out that the company’s managers did not consult a year ago on the legality and the need to take certain measures, but did everything in their own way. On the other hand, now the board of directors can say anything, but it is unlikely that anyone, except a couple of people who were at the helm, has touched the incident.

Now Khosrovshakhi says that the company received assurances from hackers that all the data they downloaded from AWS from the north was destroyed. It remains only to follow the further development of events.