uber data breach 2016 case study

• CCI Magazine
• Writing for CCI
• Career Connection
• NEW: CCI Press – Book Publishing
• Advertise With Us
• See All Articles
• Internal Audit
• HR Compliance
• Cybersecurity
• Data Privacy
• Financial Services
• Well-Being at Work
• Leadership and Career
• Vendor News
• Submit an Event
• Download Whitepapers & Reports
• Download eBooks
• New: Living Your Best Compliance Life by Mary Shirley
• New: Ethics and Compliance for Humans by Adam Balfour
• 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
• CCI Press & Compliance Bookshelf
• On-Demand Webinars: Earn CEUs
• Leadership & Career
• Getting Governance Right
• Adam Balfour
• Jim DeLoach
• Mary Shirley

Executive Responsibilities and Consequences: A Case Study of Uber’s Data Breaches

Individuals potentially face criminal charges for failing to disclose a data breach.

Organizations at risk of a data breach (that’s every organization, by the way) can learn something from Uber’s data privacy missteps. Squire Patton Boggs attorneys Colin Jennings, Ericka Johnson and Dylan Yépez offer key takeaways from the company’s high-profile data breaches.

On August 19, 2020, the former Chief Security Officer (CSO) for Uber Technologies Inc. (Uber) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million riders and drivers. Although an extreme case, it is a good reminder for companies and executives to take data breach disclosure obligations seriously.

The criminal complaint, filed in the U.S. District Court for the Northern District of California (“the Complaint”), appears to claim that Uber, through its former CSO, Joseph Sullivan, should have reported the 2016 data breach to federal investigators. But a business’s duty to disclose a data breach is not always clear, and there are often a myriad of laws, regulatory practices and consumer expectations when navigating a breach. Using Uber’s 2016 breach as a case study, company executives must be aware of and recognize the business and personal consequences associated with breach response, and specifically with intentionally concealing a breach.

The Obligation to Report a Data Breach is Often Not Straightforward

Across the world, countries have widely varying laws related to the protection of personal information and even greater variance on the requirements to disclose a breach of such information. Even within the United States, the definitions of “personal information” and “data breach” differ greatly from state to state, with no two state laws being identical, so businesses, particularly those operating on a national or global scale, must conduct multijurisdictional analyses to determine whether an obligation to disclose a given breach exists and, if so, the scope of the obligation. Often there are inconsistent laws and obligations, and regulatory and consumer expectations can vary greatly based on the nature, scope and context of the breach.

Many laws require disclosure of a data breach only if there is a “reasonable risk of harm” to the individual(s) whose personal information was unlawfully accessed and/or exfiltrated. This requires businesses to determine whether, based on the totality of circumstances, it is reasonably likely that a breach of personal information will harm affected individuals. On the other hand, some laws do not require any risk of harm. Further, given that the forensic review of a data breach evolves over time, it is not uncommon for the initial findings to change dramatically over the course of a breach response. What often appears to be a limited attack can become a wholesale loss of sensitive consumer or business data – and oftentimes both simultaneously.

The legal analysis is then complex, fact-specific and ever changing. Perhaps, for example, only a portion of the sensitive data was exposed (e.g., only the last four digits of a social security number or only an individual’s last name). Maybe, due to insufficient logs, forensic investigators cannot rule out the possibility that an unauthorized third party accessed the sensitive data or moved laterally into human resources data or databases containing consumer financial information. Or perhaps evidence suggests that the cybercriminals appear to be staging sensitive data for exfiltration, but have destroyed any evidence that data was actually taken. These are but a few examples of factors that can make the obligation to report far from straightforward.

As Uber’s 2016 breach response indicates, the difficulty of ascertaining a business’s breach notification obligations is not a defense to those company executives who intentionally conceal a breach. As discussed below, company executives who ultimately have to decide whether to disclose a breach should take notice of the potential consequences of making the wrong decision.

A Case Study in Intentionally Failing to Report a Breach

The Complaint alleges that, in response to Uber’s 2016 breach, former CSO Joseph Sullivan “engaged in a scheme to withhold and conceal from the [Federal Trade Commission] both the hack itself and the fact that that data breach had resulted in the hackers obtaining millions of records associated with Uber’s users and drivers.”

At the time of the breach, Sullivan was helping oversee Uber’s response to a Federal Trade Commission (FTC) investigation into Uber’s data security practices, which had been triggered, in part, by another Uber data breach that occurred in or around 2014. Sullivan was “intimately familiar with the nature and scope of the FTC’s investigation.”

About 10 days after providing sworn testimony to the FTC, however, Sullivan received an email from “[email protected],” claiming to have found a “major vulnerability in uber [ sic ],” and threatening that the hacker “was able to dump uber [ sic ] database and many other things.” Within days, Sullivan’s security team realized that an unauthorized person or persons had accessed Uber’s data and obtained, among other things, a copy of a database containing approximately 600,000 driver’s license numbers for Uber drivers.

Based on available information, this massive data breach likely triggered Uber’s duty to notify under numerous jurisdictions’ data breach laws. By contrast, the 2016 breach appeared significantly more expansive than the 2014 breach, in which a cybercriminal accessed over 100,000 individuals’ personal information on a cloud-based data warehouse.

Based on the Complaint, Sullivan allegedly took affirmative measures to conceal the data breach and the resulting exposure of data. Among other things, he allegedly:

• negotiated with the cybercriminals to pay $100,000 in exchange for the hackers to sign a nondisclosure agreement (NDA), “falsely represent[ing] that the hackers had not obtained or stored any data during their intrusion,” even though “[b]oth the hackers and Sullivan knew at the time that this representation in the NDA was false;”
• “instructed his team to keep knowledge of the 2016 breach tightly controlled;”
• “never informed the FTC of the 2016 data breach, even though he was aware that the FTC’s investigation focused on data security, data breaches and protection of [Personally Identifiable Information];” and
• “removed certain details … that would have illustrated the true scope of the [2016] breach” from a prepared summary for the new Uber CEO – changes which “resulted in both affirmative misrepresentations and misleading omissions of fact.”

Sullivan’s alleged motives to cover up the 2016 hack and data breach are the concerns that all companies must assess in connection with their breach notification responsibilities.

First , the Complaint appears to allege that one motive to conceal the breach was to prevent further reputational harm to the company. Like Uber’s customers, individuals entrust their data to companies on a daily basis, from making purchases to requesting services. Companies know, therefore, that they risk losing revenue if their customers lose confidence in the protection of their data.

Understanding this dynamic, he “became aware the attackers had accessed [the cloud] in almost the identical manner the 2014 attacker had used,” according to the Complaint. “That is, the attackers were able to access Uber’s source code on GitHub (this time by using stolen credentials), locate [a cloud] credential and use that credential to download Uber’s data.” As such, the Complaint appears to allege that both the embarrassment of falling victim to the same attack vector and the associated reputational consequences may have motivated Sullivan to conceal the breach.

Second , the Complaint appears to allege that another motive for concealing the breach was to prevent additional regulatory scrutiny. In the United States, companies like Uber are subject to many state- and industry-specific regulators (e.g., state Attorneys General, the Securities and Exchange Commission, FTC) — often simultaneously. Additionally, outside of the United States there are numerous laws and data protection or other authorities that govern data breaches.

At the time of the breach, Sullivan was actively responding to the FTC’s inquiries to assist in reaching a settlement related to the 2014 breach. For example, he approved language to the FTC representing that “‘all new database backup files’ had been encrypted since August 2014,” when in fact, they had not. Sullivan’s fears may not have been misplaced. In light of the new information regarding the 2016 breach, the FTC effectively withdrew its previous settlement terms and added requirements to the resolution with Uber.

Ultimately, it appears that such attempts to rationalize and avoid Uber’s breach notification responsibilities may have led Sullivan to engage in the actions he did.

Lesson Learned

In a public statement, the FBI advised that, “[w]hile this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice.” In effect, the consequences of failing to disclose a data breach are the most extreme in cases where a notification obligation clearly exists and the company and its officers consciously decide to circumvent that obligation during the course of an ongoing investigation. While companies have incentives to rationalize and avoid their disclosure obligations (e.g., reputational harm, regulatory oversight, expense), this incident highlights the potential consequences executives should be aware of when weighing the business decision to disclose a breach. Disclosure and direct individual notification of a data breach is now the expectation, and the decision to not disclose must be very carefully weighed – taking into account law, regulatory practice and consumer/customer expectations. One size does not fit all, and the nature, scope and circumstance of the specific breach must be carefully assessed in real time.

Ultimately, the legal analysis to determine whether an obligation exists and the business decision to disclose the same are nuanced and complex. If you experience a data breach, it is best to retain counsel who is highly experienced in the nuances of data breaches and the complexities of data breach notification laws for help determining whether and how to disclose a given breach.

How COVID-19 is Shifting Tax Reporting Regulations

Cci media group launches book publishing division targeting global audience in compliance, ethics, risk, internal audit.

Colin Jennings, Ericka Johnson and Dylan Yépez

Related Posts

News Roundup: SEC Finalizes New Cybersecurity Rules for Broker-Dealers, Others

OFAC launches public-facing sanctions database

In Crisis or In Control? Evolving Threat Actor Tactics Illustrate the Need for Clear Cybersecurity Communications Strategies

Preparing for the unexpected goes beyond IT expertise

Navigating Personal Liability: Post–Data Breach Recommendations for Officers

Executives may be on the hook if info is compromised

Primary Markets Abuse: High Stakes and High Consequences for Investment Banks

Agencies signal that random monitoring is not enough

Privacy Policy

Founded in 2010, CCI is the web’s premier global  independent  news source for compliance, ethics, risk and information security. 

Got a news tip?  Get in touch . Want a weekly round-up in your inbox?  Sign up  for free. No subscription fees, no paywalls. 

Browse Topics:

• Compliance Podcasts
• eBooks Published by CCI
• GRC Vendor News
• On Demand Webinars
• Resource Library
• Uncategorized
• Whitepapers

© 2024 Corporate Compliance Insights

Privacy Overview

• Ride-sharing /

Uber admits covering up massive 2016 data breach in settlement with US prosecutors

The personal information of 57 million people was exposed in the hack.

By Andrew J. Hawkins , transportation editor with 10+ years of experience who covers EVs, public transportation, and aviation. His work has appeared in The New York Daily News and City & State.

Share this story

Uber admitted to covering up a massive cybersecurity attack that took place in October 2016 , exposing the confidential data of 57 million customers and drivers, as part of a settlement with the US Department of Justice to avoid criminal prosecution.

In order to not be prosecuted for the cover-up, Uber “admits that its personnel failed to report the November 2016 data breach to the [Federal Trade Commission] despite a pending FTC investigation into data security at the company,” according to a press release from the DOJ .

Hackers used stolen credentials to access a private source code repository and obtain a proprietary access key

Hackers used stolen credentials to access a private source code repository and obtain a proprietary access key, which they then used to access and copy large quantities of data associated with Uber’s users and drivers, including data pertaining to approximately 57 million user records with 600,000 driver’s license numbers. 

The data breach was only revealed a year later in when the company publicly disclosed it, as reported by Bloomberg . The company allegedly paid its hackers a $100,000 ransom to delete the data and not publicize the breach to media or regulators. At the time, newly appointed Uber CEO Dara Khosrowshahi, who had taken over from former CEO Travis Kalanick after the latter was ousted from his position, admitted that the cover-up should not have happened.

According to the settlement, Khosrowshahi and his team reported the breach to the public, drivers, and government authorities after discovering it a year later. The decision not to prosecute the company was, in part, based on Uber’s decision to disclose the breach as well as an agreement with the FTC in 2018 to report any future cyberattack to government regulators. The settlement also acknowledges that Uber paid $148 million to settle civil litigation tied to the data breach.

It was a sharp turnaround as compared to the company’s leadership under Kalanick, who learned of the breach a month after it occurred. Joe Sullivan, Uber’s chief security officer at the time, was also complicit in the cover-up, leading to his firing by Khosrowshahi in 2017. Sullivan was later  charged with obstruction of justice  for trying to hide a data breach from the FTC and Uber management. His case is scheduled to go to trial in September 2022 .

The hack included names, email addresses, and phone numbers of more than 50 million Uber riders worldwide, while more than 7 million Uber drivers had similar data exposed on top of driver’s license numbers for around 600,000 US drivers. 

Reddit brings back its old award system — ‘we messed up’

New teslas might lose steam, twitter is officially x.com now, the mac vs. pc war is back on, iphone owners say the latest ios update is resurfacing deleted nudes.

More from Transpo

Scout Motors wants to put the ‘mechanical’ back into electric trucks

Lucid slashes prices for its luxury EVs for the third time in seven months

GM is preparing for another major expansion of its hands-free Super Cruise system

Tesla’s latest update takes aim at cold weather woes

• Services & Software

Uber's Former Head of Security Convicted Over Concealing 2016 Data Breach

The 2016 Uber hack exposed the personal data of 57 million people but wasn't disclosed for a year.

• I've been covering technology and mobile for 12 years, first as a telecommunications reporter and assistant editor at ZDNet in Australia, then as CNET's West Coast head of breaking news, and now in the Thought Leadership team.

Uber's former head of security, Joe Sullivan, was found guilty in a federal court Wednesday of concealing a 2016 data breach for more than a year. A jury rejected Sullivan's argument that other Uber executives were aware of the data breach and responsible for it not being publicly disclosed for over a year, according to Bloomberg .

Sullivan was convicted of obstructing justice by keeping the breach hidden from the Federal Trade Commission and actively hiding a felony by authorizing payments to the hacker responsible, according to the  Washington Post .

The 2016 Uber hack exposed the personal data of 57 million drivers and users of the ride-sharing app, including names, email addresses and driver's license numbers.

The hack occurred in October 2016 but wasn't disclosed publicly until November 2017. Uber learned of the data breach in November 2016 and paid $100,000 for the cyber thief to delete the information.

In September 2018, Uber reached a settlement with all 50 US states and the District of Columbia to pay $148 million for failing to report the hack .

Uber didn't immediately respond to a request for comment.

Uber was again breached by a cyber attacker last month, with Uber laying the blame on hacking group Lapsus$ , which has  breached Microsoft, Cisco, Samsung, Nvidia, Okta  and Rockstar Games in 2022. 

Uber said last month's hack likely involved a contractor's personal device becoming infected with malware when they accepted a verification notification, leading to their credentials becoming exposed. The employee's credentials were then likely purchased from the dark web. Uber says no personal data was compromised.

Services and Software Guides

• Best iPhone VPN
• Best Free VPN
• Best Android VPN
• Best Mac VPN
• Best Mobile VPN
• Best VPN for Firestick
• Best VPN for Windows
• Fastest VPN
• Best Cheap VPN
• Best Password Manager
• Best Antivirus
• Best Identity Theft Protection
• Best LastPass Alternative
• Best Live TV Streaming Service
• Best Streaming Service
• Best Free TV Streaming Service
• Best Music Streaming Services
• Best Web Hosting
• Best Minecraft Server Hosting
• Best Website Builder
• Best Dating Sites
• Best Language Learning Apps
• Best Weather App
• Best Stargazing Apps
• Best Cloud Storage
• Best Resume Writing Services
• New Coverage on Operating Systems

• Share full article

Advertisement

Supported by

Uber Settles Data Breach Investigation for $148 Million

By Kate Conger

• Sept. 26, 2018

SAN FRANCISCO — Uber will pay $148 million to settle a nationwide investigation into a 2016 data breach, in which a hacker managed to gain access to information belonging to 57 million riders and drivers. The breach included names and driver’s license numbers for 600,000 drivers.

The investigation, led by state attorneys general across the United States, focused on whether Uber had violated data breach notification laws by not informing consumers that their information had been compromised.

Rather than disclosing the breach when it occurred, Uber paid the hacker $100,000 through its bug bounty program, which financially rewards hackers for discovering and disclosing software flaws. The ride-hailing company persuaded him to delete the data and stay quiet about it with a nondisclosure agreement.

The incident became public a year later when Uber’s chief executive, Dara Khosrowshahi, announced it as a “failure” and fired the two employees who had signed off on the payment.

“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” Xavier Becerra, California’s attorney general, said in a statement. “The company failed to safeguard user data and notify authorities when it was exposed.”

Tony West, Uber’s chief legal officer, said the settlement was part of a larger effort inside Uber to remake the company’s image. He said the company had recently hired a chief privacy officer and a chief trust and security officer.

“We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose,” Mr. West said.

He added that the breach was disclosed to the public during his first day on the job. “Rather than settling into my new work space and walking the floor to meet my new colleagues, I spent the day calling various state and federal regulators,” Mr. West said.

The Federal Trade Commission settled its investigation into the data breach in April. The trade commission now requires Uber to submit to regular privacy audits as part of a 2017 settlement, which was revised this year to address the most recent breach.

The $148 million settlement announced Wednesday will be divided among all 50 states and the District of Columbia.

"Companies in California and throughout the nation are entrusted with customers’ valuable private information,” Mr. Becerra said. “This settlement broadcasts to all of them that we will hold them accountable to protect that data.”

Follow Kate Conger on Twitter: @kateconger

Interested in All Things Tech? Get the Bits newsletter delivered to your inbox weekly for the latest from Silicon Valley and the technology industry.

A Guide to Digital Safety

A few simple changes can go a long way toward protecting yourself and your information online..

A data breach into your health information  can leave you feeling helpless. But there are steps you can take to limit the potential harm.

Don’t know where to start? These easy-to-follow tips  and best practices  will keep you safe with minimal effort.

Your email address has become a digital bread crumb that companies can use to link your activity across sites. Here’s how you can limit this .

Protect your most sensitive accounts by creating unique passwords and adding extra layers of verification .

There are stronger methods of two-factor authentication than text messages. Here are the pros and cons of each .

Do you store photos, videos and important documents in the cloud? Make sure you keep a copy of what you hold most dear .

Browser extensions are free add-ons that you can use to slow down or stop data collection. Here are a few to try.

• Mobile Site
• Staff Directory
• Advertise with Ars

Filter by topic

• Biz & IT
• Gaming & Culture

Front page layout

zero star rating —

Hackers hit uber in 2016: data on 57 million riders, drivers stolen, ceo: "you may be asking why we are just talking about this now, a year later.".

Cyrus Farivar - Nov 21, 2017 11:20 pm UTC

Further Reading

According to Bloomberg , no trip location info, credit card information, or Social Security numbers was taken.

Uber did not respond to Ars’ questions—Matthew Wing, a spokesman, simply pointed us to the company's blog post .

Bloomberg also noted that Uber paid hackers $100,000 to delete the data and not publicize the breach. At the time of the breach, Uber was negotiating with federal regulators over different privacy concerns.

“You may be asking why we are just talking about this now, a year later,” he wrote in a blog post published on Tuesday morning. “I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.”

Khosrowshahi explained that two security officials are no longer with the company. Bloomberg cited one of them as Chief Security Officer Joe Sullivan.

According to his LinkedIn profile , prior to moving to Silicon Valley tech firms in 2002, Sullivan served as an Assistant United States Attorney in the Northern District of California, focusing on high tech crime.

The CEO also noted the company would be notifying “regulatory authorities.”

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi continued. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

reader comments

Channel ars technica.

• Anker power bank deal
• Uber introduces Uber Shuttle
• Google Cast on Android Auto
• The best Nintendo Switch games
• iPad Pro M4 (2024) review

Uber settles with DOJ for failing to disclose breach that exposed 57 million users' data

The incident dates back to 2016..

Uber has officially accepted responsibility for hiding a 2016 data breach that exposed the data of 57 million passengers and drivers . On Friday, the company entered into a non-prosecution agreement with the US Department of Justice, reports Reuters . As part of the deal, Uber admitted it failed to inform the agency of the cyberattack. It also agreed to cooperate in the prosecution of former chief security officer Joe Sullivan who was fired by the company shortly after the incident came to light.

Uber did not immediately respond to Engadget’s request for comment. The company first revealed the details of the data breach in 2017. Instead of sharing what it knew about the incident with the government and users, the company paid hackers $100,000 to the delete the information and stay quiet. “None of this should have happened, and I will not make excuses for it,” said Dara Khosrowshahi, Uber’s then recently appointed CEO , at the time of the disclosure. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.” In 2018, Uber paid $148 million to settle allegations by US state attorneys general the company was too slow to disclose the incident.

Correction 07/25 5:20 PM ET : A previous version of this article mistakenly said Uber reached a non-prosecution agreement with the Federal Trade Commission. We regret the error.

Latest Stories

How to watch the microsoft build 2024 keynote live on may 21.

Microsoft is streaming its Build 2024 keynote on Tuesday. Here's how to watch -- and what to know about the lower-profile event the day before.

Doctor Who: Boom review: All hail the conquering hero

It's the first classic of the Disney+ era.

Motorola’s 2024 Razr lineup may include a bigger cover screen for the budget model

We may have a good look at Motorola’s next foldable phones. A pair of leaks show the entry-level and high-end models in various colors from all sorts of angles.

The OpenAI team tasked with protecting humanity is no more

In the summer of 2023, OpenAI created a “Superalignment” team whose goal was to steer and control future AI systems that could be so powerful they could lead to human extinction. Less than a year later, that team is dead.

The best sous vide machines for 2024

For newbies interested in buying their first sous vide machine or experienced cooks simply looking for an upgrade, here's a list of the best sous vide machines on the market right now.

Valve’s next game appears to be Deadlock, a MOBA hero shooter

According to a pair of content creators, the wait for a new Valve game is almost over: A third-person hero shooter is imminent, and it’s called Deadlock.

Yuck: Slack has been scanning your messages to train its AI models

Slack trains machine-learning models on user messages, files and other content without explicit permission. The training is opt-out, meaning your private data will be leeched by default.

Apple is said to be working on a 'significantly thinner' iPhone

The iPhone could be going the way of the iPad Pro by becoming much thinner next year. However, you'll may have to pay quite a lot for this rumored slender model, which may replace the Plus in the annual iPhone lineup.

Surface Pro 10 for Business review: A safe upgrade for IT workers

The Surface Pro 10 for Business is basically just a chip upgrade over the previous model, but it’s still a thin, light and well-designed Windows tablet.

A Fallout crossover is coming to Fortnite

A Fallout crossover is coming to Fortnite, likely when the battle royale's new season starts on May 24.

Amazon's Kindle Scribe dips back to an all-time low, plus the rest of this week's best tech deals

This week's deals in tech include sale prices on gear from Apple, Kindle, Beats, Roku, Anker and more.

This Anker Nano 10K power bank is on sale for just $32

This Anker Nano 10K power bank is on sale for $32 via Amazon. That’s a discount of 20 percent on one of our most recommended power banks.

The next Call of Duty will reportedly hit Game Pass on its release day

It seems that Microsoft has decided to bring the next Call of Duty game to Game Pass on day one. Executives had reportedly been debating for some time how to handle the upcoming release.

How to shop for a smart grill

Here's everything you need to know about buying a smart grill, plus some of the best ones you can get right now, as chosen by Engadget editors.

Twitter has officially moved to X.com

Twitter officially went through a rebranding almost a year ago, but most of its pages still used Twitter in their URL until now.

Engadget Podcast: Reviewing the iPad Pro M4 and iPad Air

We've spent some time with the iPad Pro M4 and new iPad Air... and the iPad Pro is still a bit too pricey for us.

The Morning After: Grand Theft Auto 6 is coming fall 2025

The biggest news stories this morning: Uber will soon let you reserve a shuttle to get home from a big concert or ballgame, GTA 6 gets a smaller release window, US House passes act to force event pricing transparency.

The 20 best PC games you can play right now for 2024

Here is a list of the best PC games you can get right now, as chosen by Engadget editors.

OpenAI strikes deal to put Reddit posts in ChatGPT

The partnership will “enable OpenAI’s tools to better understand and showcase Reddit content, especially on recent topics,” both companies said in a joint statement.

Grand Theft Auto 6 will arrive in fall 2025

Grand Theft Auto VI’s return to Vice City is officially scheduled for fall 2025. On Thursday, parent company Take-Two Interactive saidit’s narrowed GTA 6’s previously announced 2025 window to autumn of next year.

Uber data breach from 2016 affected 57 million riders and drivers

Uber faced a data breach in 2016 that affected some 57 million customers, including both riders and drivers, revealing their names, email address and phone numbers. That affected group included 50 million riders and 7 million drivers; around 600,000 driver license numbers for U.S. drivers were also included in the breach, according to a new report from Bloomberg .

Uber did not report the incident to regulators or to affected customers, but instead paid $100,000 to “hackers” to get rid of the data in order to keep the breach under wraps, according to the report. It says further that no security numbers or trip location information was taken in the attack, and that it doesn’t believe the info that was leaked was ever used, though it doesn’t specify who was responsible.

New Uber CEO Dara Khosrowshahi told Bloomberg via email that while he “will not make excuses” for the incident, he also believes that “none of this should have happened.” Khosrowshahi, who joined the ride-hailing company in August after a search for a replacement CEO following co-founder Travis Kalanick’s departure, also said that Uber did shut down the attack vector and increased its security measures following the attack, but that it failed in its duty to report.

Bloomberg says that Kalanick was aware of the hack as early as November 2016, just a month after it occurred. Uber Chief Security Officer Joe Sullivan, and a key senior deputy to the CSO, have also been removed from the company this week, specifically for their roles in keeping the cyberattack secret.

The report says the attack occurred because attackers managed to gain login credentials for an Uber Amazon Web Services account using a private GitHub site maintained by Uber engineers.

In a blog post addressing the breach , Khosrowshahi laid out plans for how the company will address the fallout of the incident, including bringing on a former NSA general counsel to provide guidance to Uber’s security teams, and notifying drivers whose license numbers were included in the breach. Uber will not only notify the drivers, but also offer them credit monitoring and identity theft protection services, though the post also says they haven’t seen “evidence of fraud or misuse tied to the incident.”

We’ve reached out to Uber for additional comment, and will update if we receive a response.

More TechCrunch

Get the industry’s biggest tech news, techcrunch daily news.

Every weekday and Sunday, you can get the best of TechCrunch’s coverage.

Startups Weekly

Startups are the core of TechCrunch, so get our best coverage delivered weekly.

TechCrunch Fintech

The latest Fintech news and analysis, delivered every Sunday.

TechCrunch Mobility

TechCrunch Mobility is your destination for transportation news and insight.

Adobe comes after indie game emulator Delta for copying its logo

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Startups Weekly: It’s the dawning of the age of AI — plus, Musk is raging against the machine

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

IndieBio’s SF incubator lineup is making some wild biotech promises

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Slack under attack over sneaky AI training policy

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Healthcare company WebTPA discloses breach affecting 2.5 million people

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

Seraphim’s latest space accelerator welcomes nine companies

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

OpenAI inks deal to train AI on Reddit data

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

X pushes more users to Communities

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Astronauts fall over. Robotic limbs can help them back up.

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Microsoft’s custom Cobalt chips will come to Azure next week

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Tesla keeps cutting jobs and the feds probe Waymo

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Sony Music warns tech companies over ‘unauthorized’ use of its content to train AI

Sony Music Group has sent letters to more than 700 tech companies and music streaming services to warn them not to use its music to train AI without explicit permission.…

GrubMarket buys Butter to give its food distribution tech an AI boost

Winston Chi, Butter’s founder and CEO, told TechCrunch that “most parties, including our investors and us, are making money” from the exit.

Bolt founder Ryan Breslow wants to settle an investor lawsuit by returning $37 million worth of shares

The investor lawsuit is related to Bolt securing a $30 million personal loan to Ryan Breslow, which was later defaulted on.

With the end of Workplace, it’s fair to wonder if Meta was ever serious about the enterprise

Meta, the parent company of Facebook, launched an enterprise version of the prominent social network in 2015. It always seemed like a stretch for a company built on a consumer…

Meta Threads is testing pinned columns on the web, similar to the old TweetDeck

X, formerly Twitter, turned TweetDeck into X Pro and pushed it behind a paywall. But there is a new column-based social media tool in town, and it’s from Instagram Threads.…

Google expands hands-free and eyes-free interfaces on Android

As part of 2024’s Accessibility Awareness Day, Google is showing off some updates to Android that should be useful to folks with mobility or vision impairments. Project Gameface allows gamers…

• Security News
• Cybercrime & Digital Threats

Uber Breach Exposes the Data of 57 Million Drivers and Users

Uber CEO Dara Khosrowshahi acknowledged the existence of the hack in a statement published on their website , stating that in 2016, two outsiders gained access to user data that was stored on a third-party cloud-based service used by the company. The trove of stolen information included the names and driver’s license numbers of 600,000 Uber drivers, but Khosrowshahi clarified that the company’s corporate infrastructure and systems were not affected.

The hackers were able to gain access to the information after developers working for the company uploaded code to the repository website Github. Unfortunately, this code also contained credentials that the hackers used to log into special accounts on Uber’s network containing the sensitive data, which was hosted on Amazon Web Service (AWS) servers.

According to reports , the incident was further complicated when Uber paid the hackers $100,000 to delete the data and prevent the breach from being disclosed publicly. According to insiders , the company also made the hackers sign nondisclosure agreements as part of the deal, making it appear as part of a bug bounty program that involves paying off “bug hunters” for hacking into their system to check for security flaws. In their statement, Uber also mentioned that two individuals who were part of the initial response back in 2016 were fired from the company.

Immediately after the breach, the company took steps to secure the data and prevent further unauthorized access by the individuals. Uber also implemented security measures on their cloud-based storage accounts intended to restrict access and strengthen controls. The drivers whose credentials were compromised were notified and provided with free credit monitoring and identity theft protection.

Insights from the Uber breach

Not only is this latest incident one in a long line of recent data breaches, but it is also not the first one to involve the highly popular ridesharing company—back in April 2016, a series of “phantom trips” occurred after stolen Uber accounts were peddled in the underground.  Just a few days ago, a similar incident involved drone manufacturer DJI , which was also the subject of a data breach involving Github repositories.

For organizations, there are many lessons to be learned from this incident, starting with the proper configuration of public cloud storage, as well as increased emphasis on its security.

In Uber’s case, the error was compounded by the exposure of sensitive credentials, which could have easily been avoided by putting more care into what goes into these repositories. In addition, adherence to the shared responsibility model for cloud services can create a highly secure environment that can make it difficult for attackers to access sensitive information.

In addition, paying off threat actors does not make the problem “go away,” as it does not guarantee that the data will be deleted or that public disclosure can be avoided. In fact, it will likely complicate things even more, as payment and non-disclosure can be used to fund future attacks. It can also be construed as a violation of regulations depending on the circumstance. It can also hurt a company’s reputation, as well as damage the trust between the company and its customers and partners. It is reasonable to assume that, in most data breach cases, the personal information acquired by the attackers will be sold in the underground.

Customers should always be aware of the potential compromises applications could have on their privacy . Many users download apps without being aware that these could actually be gathering personal information that could be exposed in the event of a data breach. For users whose privacy is non-negotiable, looking for “opt-out” clauses or even choosing alternative apps would be better choices. 

While Uber initially made mistakes with how they handled the incident, the company is now taking the right steps to address the breach by placing greater emphasis on securing their cloud storage and repositories. While the incident cannot be reversed, creating comprehensive contingency measures and mobility plans can help mitigate the impact of data breaches.

Organizations that rely heavily on cloud storage can look into the use of multilayered solutions such as  Trend Micro™ Hybrid Cloud Security , which delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads.

Like it? Add this infographic to your site: 1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Related Posts

• Building Resilience: 2024 Security Predictions for the Cloud
• Threat Modeling API Gateways: A New Target for Threat Actors?
• Trend Micro Security Predictions for 2024: Critical Scalability
• Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
• Exploring Potential Security Challenges in Microsoft Azure

Recent Posts

• Email Threat Landscape Report: Protecting Your Organization From Increased Malware, BEC, and Credential Phishing Attacks
• Back to the Hype: An Update on How Cybercriminals Are Using GenAI
• Ransomware Spotlight: LockBit
• Phobos Emerges as a Formidable Threat in Q1 2024, LockBit Stays in the Top Spot: Ransomware in Q1 2024
• Observability Exposed: Exploring Risks in Cloud-Native Metrics

We Recommend

• Internet of Things
• Virtualization & Cloud
• Security Technology

• Addressing CAPTCHA-Evading Phishing Threats With Behavior-Based AI Protection
• A Deep Dive into the Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Networks

• Enhancing Software Supply-Chain Security: Navigating SLSA Standards and the MITRE ATT&CK Framework

• Rise in Active RaaS Groups Parallel Growing Victim Counts: Ransomware in 2H 2023

• Post-Quantum Cryptography: Quantum Computing Attacks on Classical Cryptography
• Diving Deep Into Quantum Computing: Computing With Quantum Mechanics

Watch CBS News

Uber agrees to $148M settlement with states for 2016 data breach

September 26, 2018 / 5:40 PM EDT / CBS/AP

Uber will pay $148 million and tighten data security after the ride-hailing company failed for a year to notify drivers and customers that hackers had stolen their personal information, according to a settlement announced Wednesday.

Uber reached the agreement with all 50 states and the District of Columbia after a massive data breach in 2016. Instead of reporting it, Uber hid evidence of the theft and paid ransom to ensure the data wouldn't be misused.

"This is one of the most egregious cases we've ever seen in terms of notification. A yearlong delay is just inexcusable," Illinois Attorney General Lisa Madigan said in an interview with the Associated Press. "And we're not going to put up with companies, Uber or any other company, completely ignoring our laws that require notification of data breaches."

Uber, whose GPS-tracked drivers pick up riders who summon them from cellphone apps, learned in November 2016 that hackers had accessed personal data , including driver's license information, for roughly 600,000 Uber drivers in the U.S. The company acknowledged the breach in November 2017, saying it paid $100,000 in ransom for the stolen information to be destroyed.

The hack also took the names, email addresses and cellphone numbers of 57 million riders around the world. 

"None of this should have happened, and I will not make excuses for it," Dara Khosrowshahi, who Uber named as  CEO last September , said in a statement when the hack was revealed late last year. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."

After significant management changes in the past year, Tony West, Uber's chief legal officer, said the decision by current managers was "the right thing to do."

"It embodies the principles by which we are running our business today: transparency, integrity and accountability," West said. "An important component of living up to those principles means taking responsibility for past mistakes, learning from them and moving forward."

The settlement requires Uber to comply with state consumer protection laws safeguarding personal information and to immediately notify authorities in case of a breach; to establish methods to protect user data stored on third-party platforms; and create strong password-protection policies. The company also will hire an outside firm to conduct an assessment of Uber's data security and implement its recommendations.

West said the commitments in the settlement coincide with  physical and digital safety improvements  the company recently announced. Uber hired a longtime in-house counsel as its chief privacy officer and selected a former general counsel to the National Security Agency and director of the National Counterterrorism Center as the company's chief trust and security officer.

The settlement payout will be divided among the states based on the number of drivers each has. Illinois' share is $8.5 million, said Madigan, who plans to provide $100 to each affected Uber driver in Illinois. The payout was similar to what several other states had estimated.

More from CBS News

Nissan data breach exposes Social Security numbers of nearly 53,000

Apple agrees to $35 million settlement with some iPhone 7 users

Chevy Bolt owners win $150 million settlement after EVs caught fire

Two 17-year-old U.S. soldiers killed in Korean War accounted for

To revisit this article, visit My Profile, then View saved stories .

• Backchannel
• Newsletters
• WIRED Insider
• WIRED Consulting

Andy Greenberg

Hack Brief: Uber Paid Off Hackers to Hide a 57-Million User Data Breach

By now, the name Uber has become practically synonymous with scandal . But this time the company has outdone itself, building a Jenga-style tower of scandals on top of scandals that has only now come crashing down. Not only did the ridesharing service lose control of 57 million people's private information, it also hid that massive breach for more than a year, a cover-up that potentially defied data breach disclosure laws. Uber may have even actively deceived Federal Trade Commission investigators who were already looking into the company for distinct, earlier data breach .

On Tuesday, Uber revealed in a statement from newly installed CEO Dara Khosrowshahi that hackers stole a trover of personal data from the company's network in October 2016, including the names and driver's license information of 600,000 drivers, and worse, the names, email addresses, and phone numbers of 57 million Uber users.

As bad as that data debacle sounds, Uber's response may end up doing the most damage to the company's relationship with users, and perhaps even exposed it to criminal charges against executives, according to those who have followed the company's ongoing FTC woes. According to Bloomberg , which originally broke the news of the breach, Uber paid a $100,000 ransom to its hackers to keep the breach quiet and delete the data they'd stolen. It then failed to disclose the attack to the public—potentially violating breach disclosure laws in many of the states where its users reside—and also kept the data theft secret from the FTC.

"If Uber knew and covered it up and didn’t tell the FTC, that leads to all kinds of problems, including even potentially criminal liability," says William McGeveran, a data-privacy focused law professor at the University of Minnesota Law School. "If that's all true, and that’s a bunch of ifs, that could mean false statements to investigators. You cannot lie to investigators in the process of reaching a settlement with them."

According to Bloomberg, Uber's 2016 breach occurred when hackers discovered that the company's developers had published code that included their usernames and passwords on a private account of the software repository Github. Those credentials gave the hackers immediate access to the developers' privileged accounts on Uber's network, and with it, access to sensitive Uber servers hosted on Amazon's servers, including the rider and driver data they stole.

While it's not clear how the hackers accessed the private Github account, the initial mistake of sharing credentials in Github code is hardly unique, says Jeremiah Grossman, a web security researcher and chief security strategist at security firm SentinelOne. Programmers frequently add credentials to code to allow it automated access to privileged data or services, and then fail to restrict how and where they share that credential-laden software.

"This is all too common on Github. It’s not a forgiving environment," says Grossman. He's far more shocked by the reports of Uber's subsequent coverup. "Everyone makes mistakes. It’s how you respond to those mistakes that gets you in trouble."

Uber's count of 57 million users covers a significant swath of its total user base, which reached 40 million monthly users last year. The company hasn't notified affected users, writing in its statement that it's "seen no evidence of fraud or misuse tied to the incident," and that it's flagged the affected accounts for additional protection. As for the 600,000 drivers whose information was included in the breach, Uber says it's contacting them now, and offering free credit monitoring and identity theft protection.

Mass spills of names, phone numbers, and email addresses represent valuable data for scammers and spammers, who can combine those data points with other data leaks for identity theft, or use them immediately for phishing. The more sensitive driver data that leaked may offer even more useful private information for fraudsters to exploit. All of it contributes to the dreary, steady erosion of the average person's control of their personal information.

But it's Uber, not the average user whose data it spilled, that may face the most severe and immediate consequences. The company has already fired its chief security officer, Joe Sullivan, who previously led security at Facebook, and before that worked as a federal prosecutor. By failing to publicly disclose the breach for over a year, the company has likely violated breach disclosure laws, and should be bracing for hefty fines in many states where its users live, as well as its home state of California, says the University of Minnesota Law School's McGeveran. (In statements on Twitter embedded above, former FTC attorney Whitney Merrill echoed that interpretation of those breach disclosure laws.) “I would not be surprised to see states pursuing Uber on that basis,” McGeveran says.

Reece Rogers

Louryn Strampe

Brendan I. Koerner

Scott Gilbertson

Former FTC attorney Whitney Merrill echoed that interpretation Tuesday on Twitter:

This content can also be viewed on the site it originates from.

If the cover-up included making false statements to the FTC during its investigation of the 2014 breach—even though it was a separate incident—that could have even more dire consequences. Making false statements to the commission’s investigators, McGeveran points out, is a federal criminal offense. “This is not just a casual chat over a cup of tea. it’s a formalized investigative procedure,” McGeveran says. “They’re already being asked investigative questions by a government official. They not only know about the breach, but they’re allegedly paying hackers to cover it up. They presumably omit this 57 million person breach from their disclosure to the FTC.”

“If all of that is true,” McGeveran reiterates, “that’s huge.”

Jordan Pearson

Matt Burgess

Dhruv Mehrotra

Eric Geller

Kate O'Flaherty

Uber says hackers behind 2016 data breach were in Canada, Florida

• Medium Text

Reporting by Dustin Volz and Jim Finkle; Editing by Alistair Bell and Grant McCool

Our Standards: The Thomson Reuters Trust Principles. New Tab , opens new tab

Technology Chevron

Crypto lender Genesis to return $3 billion to customers in bankruptcy wind-down

Crypto lender Genesis Global received court approval on Friday to return about $3 billion in cash and cryptocurrency to its customers in a bankruptcy liquidation, leaving its owner, Digital Currency Group, with no recovery from the bankruptcy.

• After-Hours
• Market Movers
• Fear & Greed
• World Markets
• Markets Now
• Before the Bell
• Leading Indicator
• Global Energy Challenge
• Mission: Ahead
• Business Evolved
• Work Transformed
• Innovative Cities
• Reliable Sources
• Fresh Money
• Biz + Leisure

Center Piece

Perspectives, international.

• Switzerland
• Passion to Portfolio
• On: Germany
• Newsletters
• Accessibility and CC

Entertainment

Do Not Sell

Uber to pay record $148 million over 2016 data breach

Uber will pay $148 million to settle an investigation into a 2016 data breach that the company was accused of intentionally concealing.

The settlement with attorneys general for all 50 states and Washington, DC, will be split among the states. It's the largest ever multi-state data breach settlement, according to the New York attorney general.

The investigation was called to look into allegations that the ride-share company violated state-level notification laws by intentionally withholding that hackers stole the personal information of 57 million users in 2016.

The breach wasn't disclosed until late 2017, when Uber revealed that it paid the hackers $100,000 to destroy the data. In April, Uber settled a case with the Federal Trade Commission, which was investigating claims that Uber deceived customers over this breach.

As part of the settlement, Uber has agreed to develop and implement a corporate integrity program for employees to report unethical behavior. It also agreed to adopt model data breach notification and data security practices, as well as hire an independent third party to assess its data security practices.

"This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation," said New York attorney general Barbara D. Underwood said in a press release. New York will get about $5.1 million of the payout.

"Our current management team's decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability," said Uber chief legal officer Tony West in a blog post on Wednesday. "We'll continue to invest in protections to keep our customers and their data safe and secure, and we're committed to maintaining a constructive and collaborative relationship with governments around the world."

The settlement comes as Uber attempts to clean up its practices. In July, for example, Uber finally hired a chief privacy officer: Ruby Zefo , became Uber's top executive focused on privacy. Matt Olsen also joined as chief trust and security officer.

CNNMoney Sponsors

Smartasset paid partner.

• These are your 3 financial advisors near you
• This site finds and compares 3 financial advisors in your area
• Check this off your list before retirement: talk to an advisor
• Answer these questions to find the right financial advisor for you
• Find CFPs in your area in 5 minutes

NextAdvisor Paid Partner

• An Insane Card Offering 0% Interest Until Nearly 2020
• Transferring Your Balance to a 14-Month 0% APR is Ingenious
• The Top 7 Balance Transfer Credit Cards On The Market Today
• Get $300 Back With This Outrageous New Credit Card

Special Features

Vendor voice.

This article is more than 1 year old

Uber quits GitHub for in-house code after 2016 data breach

Code trove wasn't to blame: uber didn’t have multifactor authentication on repos that included aws credentials.

Uber’s confessed that it didn’t use multifactor authentication on its GitHub account, an omission ultimately led to the data breach it revealed in 2017 after keeping it secret for more than a year , after using its bug bounty program to bribe the hacker to stay schtum .

It’s now stopped using GitHub for anything other than open source projects.

The not-a-taxi company’s chief information security officer John Flynn revealed the GitHub gaffe in testimony (PDF) before the US Senate Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, which on Tuesday February 6th conducted a hearing titled “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers”.

The breach saw a hacker access oodles of data from one of Uber’s AWS S3 buckets. Flynn told the hearing “that the intruder found the credential [for AWS] contained within code on a private repository for Uber engineers on GitHub.”

Flynn did not explain how the hacker accessed that repository, but we can guess at a brute-force or password-guessing attack from Flynn’s testimony that “We immediately took steps to implement multifactor authentication for GitHub and rotated the AWS credential used by the intruder.”

“Despite the complexity of the issue and the limited information with which we started, we were able to lock down the point of entry within 24 hours.”

“We ceased using GitHub except for items like open source code,” he added.

Flynn also confessed that its bug bounty program was “not an appropriate vehicle for dealing with intruders who seek to extort funds from the company.” But he also defended its use on grounds that doing so “assisted in the effort to gain attribution and, ultimately, assurances that our users’ data were secure”, while also noting that extortion is not what bug bounty programs should ever reward.

Video testimony from the hearing was not available at the time of writing, so we’re unable to report on Flynn’s answers to any questions directed his way.

We asked GitHub if it was aware Uber all-but-dumped it, and if it has responded to the breach in any way. We did so partly to see what it knew, and partly because Uber dumping GitHub when it hadn’t secured its own repos properly seems a bit harsh.

GitHub responded, telling us "This was not the result of a failure of GitHub's security. We cannot provide further comment on individual accounts due to privacy concerns."

"Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code. If the developer must include them in the code, we recommend they implement additional operational safeguards to prevent unauthorized access or misuse."

Uber's followed that advice: Flynn said its code now includes only auto-expiring AWS creds. ®

• Data Breach

Broader topics

Send us news

Other stories you might like

Meet pi-card: serving up a digital assistant on raspberry pi, europol confirms incident following alleged auction of staff data, encrypted mail service proton hands suspect's personal info to local cops, easing the cloud migration journey.

Cybercriminals hit jackpot as 500k+ Ohio Lottery lovers lose out on their personal data

One year on, universities org admits moveit attack hit data of 800k people, uk opens investigation of mod payroll contractor after confirming attack, brit security guard biz exposes 1.2m files via unprotected database, consultant charged over $1.5m extortion scheme against it giant, qantas app glitch sees boarding passes fly to other accounts, kaiser permanente handed over 13.4m people's data to microsoft, google, others, over a million neighbourhood watch members exposed through web app bug.

• Advertise with us

Our Websites

• The Next Platform
• Blocks and Files

Your Privacy

• Cookies Policy
• Privacy Policy
• Ts & Cs

Copyright. All rights reserved © 1998–2024