Tuesday, November 21, 2017

Uber Paid Hackers to Delete Stolen Data on 57 Million People

Along with having ultimate responsibility for ensuring coffee logistics, sometimes having to don the risk manager hat and being on guard against the appearance of the Hubris-Nemesis Complex, (more accurately Sophocles' whole hubris, anagnorisis nemesis, catharsis story line - I'm forgetting a couple steps), I think about stuff.

A couple posts back. I even referenced the thinking-about-stuff bit: "having spent some time trying to front run Sand Hill Road and understand things like Uber...".

Don't tell anyone but sometimes that part is pretty easy, just pattern recognition:
November 19, 2014
Here's the Real Problem With Uber: You Can't Trust Them 
Yeah, three years ago.
At that time there weren't many of us saying there was something very wrong with Uber:
Izzy Kaminska at Alphaville, Sarah Lacy' at Pando, recovering VC Peter Sims and yours truly. Maybe one or two more.
Otherwise, the 2014 commentariat was happy, happy, joy, joy all over the Ubester.

Here's the latest from Bloomberg
Updated on
  • Company paid hackers $100,000 to delete info, keep quiet
  • Chief Security Officer Joe Sullivan and another exec ousted
Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.

Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who took over as chief executive officer in September, said in an emailed statement. “We are changing the way we do business.”

After Uber’s disclosure Tuesday, New York Attorney General Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy Spitalnick said. The company was also sued for negligence over the breach, and the case is seeking class-action status.

Hackers have successfully infiltrated numerous companies in recent years. The Uber breach, while large, is dwarfed by those at Yahoo, MySpace, Target Corp., Anthem Inc. and Equifax Inc. What’s more alarming are the extreme measures Uber took to hide the attack. The breach is the latest scandal Khosrowshahi inherits from his predecessor, Travis Kalanick.

Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. Kalanick declined to comment on the hack.

Joe Sullivan, the outgoing security chief, spearheaded the response to the hack last year, a spokesman told Bloomberg. Sullivan, a onetime federal prosecutor who joined Uber in 2015 from Facebook Inc., has been at the center of much of the decision-making that has come back to bite Uber this year. Bloomberg reported last month that the board commissioned an investigation into the activities of Sullivan’s security team. This project, conducted by an outside law firm, discovered the hack and the failure to disclose, Uber said.

Here’s how the hack went down:...
...MUCH MORE, a rip-roaring yarn told on a classic hubris, anagnorisis, nemesis, catharsis arc.

That failure to disclose is just nasty and offers insight into how Uber got to where it is now, an over-valued taxi company with plans to go driverless.
And airborne.