Uber Hack: Hackers "Paid Off" To Keep Quiet Over Huge Data Breach

Uber has revealed that the company’s database was hacked in October last year, but instead of alerting authorities and warning users about the breach, they instead paid hackers around £75,000 to keep quiet about the hack, and for assurances that the information would be deleted.

Former chief security officer, Joe Sullivan, reportedly made the decision to cover-up the Uber hack, and it was a decision that cost him his job, his deputy’s job, and risked the security of some 56 million people around the world.

Uber criticised

The breach and the way it was handled has created a lot of mixed feelings. There is of course the initial shock, but when reminded of Uber’s recent antics and brushes with authorities over the last couple of years, is this story really that much of a surprise?

At the time of the breach, reportedly troubled co-founder and CEO, Travis Kalanick, was in charge, and the company was involved in all sorts of scandals over drivers’ rights, reportedly sexist work practices, alleged bribes, questionable schemes and of course Uber losing its licence to operate in London.

Even with all the scandals and probes, Uber remained popular. With an estimated six million people in the U.K. using the service, it’s highly likely that most will have had their personal information compromised in the secret data breach.

Breached information may have included:

Names
Email addresses
Phone numbers

Some drivers may also have had their licence plate numbers leaked as well. Uber says that journey history, bank details and dates of birth were not compromised.

Uber denies any misuse of information

Current CEO Dara Khosrowshahi said in a statement that the company does not believe any misuse of data has occurred yet, which is a broad statement. The hackers were asked to sign a Non-Disclosure Agreement to promise they wouldn’t distribute the supposedly deleted information, nor speak about it.

However, with the nature of data, how can Uber be sure the hackers didn’t keep a copy of the stolen information?

Uber has not confirmed how quickly the deal was struck with the hackers; in the entire year between the breach and finally disclosing it, when was the information supposedly deleted?

Perhaps the hackers have already put the data up for sale and criminals have already contacted users and drivers with the stolen contact information. Mobile numbers may have already been sold to telemarketers who make millions of nuisance calls. Phishing emails may have been sent to the email addresses for marketing purposes or perhaps to contain hidden malware that will be released once clicked upon.

Khosrowshahi’s statement bizarrely says: “We do not believe any individual rider needs to take any action.” He followed this up with a strong assertion that he “will not make any exceptions. At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised misuse tied to the incident.”

On the face of it, sounds great; they’ve sorted it.

However, Uber may have failed to comply with legal obligations to disclose the data breach, and doesn’t address the potential risks they may have put their users and drivers at by not warning them about it.

Some have taken to social media to express their disgust at Uber’s response, with one twitter user noting her shock that she only found out about it over media coverage.

Drivers have been offered the usual free-of-charge credit protection monitoring and identity theft protection, but we all know that this kind of offer is often just to make it look like Uber is doing something responsible in response to the breach.

In practice, cybercriminals may have already misused the stolen information or use it years later when the free security monitoring runs out.

Graham Cluley, computer security specialist, said:

“You can ask forgiveness for being hacked, but many people will find it harder to forgive and forget if you deliberately concealed the truth from them.”

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.

Create A Call Back

Information on how we handle your data is available in our Privacy Policy.

The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.