Here's how Uber reportedly tried to keep the lid on the data breach that affected 57 million people
- On Tuesday, Bloomberg revealed that Uber paid hackers $100,000 to conceal an October 2016 data breach that exposed the personal information of 57 million users.
- The decision to cover up the hack was led by Uber's former chief executive Travis Kalanick and chief security officer Joe Sullivan, who has since been fired.
- The company demanded that the hackers sign nondisclosure agreements and then went on to disguise the payout fee as a 'bug bounty,' The New York Times reports.
- There are serious legal ramifications for Uber's decision not to immediately disclose the data breach.
On Tuesday, Bloomberg revealed that Uber paid hackers $100,000 to conceal a cyber attack that exposed the personal data of 57 million users of the app in October 2016. The hack exposed the names, emails, and phone numbers of 50 million riders, as well as the US driver's license numbers of an additional 7 million drivers.
The hackers subsequently contacted Uber and demanded a $100,000 extortion fee to erase the data from their servers, a demand which the company agreed to, according to the report. The decision to acquiesce with the hacker's extortion fee was reportedly led by former chief executive Travis Kalanick and chief security officer Joe Sullivan.
But new information has come to light giving us a further glimpse at Uber's strategy in dealing with the data breach.
According to a new report in The New York Times:
Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a 'bug bounty' - a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.
Uber's chief security officer, Joe Sullivan, and an attorney who worked directly with Sullivan, Craig Clark, have since been fired.
So how does the Uber hack stack up against other recent data breaches? In comparison to the most recent Equifax security breach, which exposed the Social Security numbers and credit card numbers of 143 million customer, Uber's 2016 security breach affected far fewer people.
While the legal implications of Uber's cover up are still being examined - the Italian Data Protection Authority just launched an investigation into the data breach - The New York Times points out that Uber may have violated the Federal Trade Commission's stipulation that companies disclose data breaches and reveal any evidence of a cybersecurity compromise. Uber may have violated Californian breach disclosure laws as well.
William McGeveren, a law professor at the University of Minnesota, suggested in a tweet that Uber may be in violation of legal statutes by breaking data breach disclosure laws and potentially lying to the FTC while under investigation.
"None of this should have happened, and I will not make excuses for it," Dara Khosrowshahi, who joined Uber as CEO in September, wrote in a blog post addressing the data breach. "We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
For more details on how Uber handled the coverup, read The New York Times' story here.