SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Uber suffered massive data breach, then paid hackers to keep quiet

By Paul Ducklin, Sophos

November 12, 2017

News has surfaced today claiming that oft-controversial taxi ride-sharing company Uber suffered a massive data breach in 2016.

According to Bloomberg, the data of 57,000,000 drivers and customers was stolen, after which Uber not only kept the breach secret from the victims, but also paid the hackers $100,000 to “delete the data [and] keep quiet”.

Apparently, Uber’s security chief, Joe Sullivan, lured to Uber from Facebook in 2015, has been sacked in the fallout.

Bloomberg quotes Uber as follows:

Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world… The personal information of about 7 million drivers was accessed as well, including some 600,000 US driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken.

It seems that Uber’s programmers uploaded security credentials to a GitHub repository – GitHub is a place where you are supposed to store source code, not the keys to the castle! – where the hackers stumbled across them.

From there, the crooks were able to get into Uber servers hosted on Amazon, and from there to access the personal information involved in the breach.

If this sounds terribly familiar, Uber suffered a breach with a similar cause just ocer three years ago, an intrusion that was discovered in May 2014 but not disclosed until February 2015.

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement