Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security Technology

Uber Concealed Cyberattack That Exposed 57 Million People's Data (bloomberg.com) 32

According to Bloomberg, hackers stole the personal data of 57 million customers and drivers from Uber. The massive breach was reportedly concealed by the company for more than a year. From the report: Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers were accessed as well, including some 600,000 U.S. driver's license numbers. No Social Security numbers, credit card details, trip location info or other data were taken, Uber said. At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers $100,000 to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

Here's how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

This discussion has been archived. No new comments can be posted.

Uber Concealed Cyberattack That Exposed 57 Million People's Data

Comments Filter:
  • by viperidaenz ( 2515578 ) on Tuesday November 21, 2017 @05:55PM (#55598921)

    Sure, you can trust them to delete the data they stole.
    They won't just take your hush money and sell the data anyway.

    • Yeah, that was my first thought; you NEVER pay ransom when what was stolen is also valuable to someone else. You're dealing with criminals, and you expect honest behaviour?

      You also never pay ransom when you can't stop them from simply repeating their crime, but that doesn't really apply in this case. And if you can afford to take the hit, you don't pay ransom simply to make the crime less profitable in general.

  • by rmdingler ( 1955220 ) on Tuesday November 21, 2017 @05:59PM (#55598967) Journal

    No Social Security numbers, credit card details, trip location info or other data were taken, Uber said.

    Given Uber's track record, this is the guarantee equivalent of "The check's in the mail" and "No, those jeans don't make you look fat."

    • by sl3xd ( 111641 )

      Can we all just accept that Uber is less safe for consumers than asking a drunk who just got thrown out of a bar for a ride?

      • by Mashiki ( 184564 )

        Can we all just accept that Uber is less safe for consumers than asking a drunk who just got thrown out of a bar for a ride?

        Funny enough, that's how the regulation of taxi companies started happening in Canada.

    • by Anonymous Coward

      This will just play out like the Equifax hack. Every couple of weeks they'll revise their statement, admitting the breach was slightly worse than they admitted before.
      So give it a few months and I'll wager you'll see them eventually fess up to having users CC and SS details stolen too.

      Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken

      But not their users whose details were taken ?
      Glad I don't use Uber, and after seeing how they prefer to cover themselves instead of those whose details were taken, I never will.

    • Uber is the company that just keeps giving... all these wonderful headlines, that is. It's sort of amazing what a moral crapfest some companies can be. I mean, I generally consider most corporations to be amoral, but these guys sink way below even that level.

      • We can always still vote with our wallets, sighhh, but the corporate landscape is as depressing a place for a referendum as politics has become.

        The meteoric rise of ride-share companies was in direct response to the dreadful track record of the entrenched taxi industry, with their poor service history, fare gouging, and competition-restricting medallion allotment system in large cities.

        The most important characteristic for advancement in business and politics seems to be a sociopath's lack of any moral co

  • All California drivers for Uber should file a complaint here with the AG:
    https://www.oag.ca.gov/privacy/databreach/reporting [ca.gov]

    My complaint states:

    Uber failed to notify thousands of California drivers for Uber of a PII data breach in violation of Calliforonia Civ. Code s.1798.82(a).
    https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data

  • . . . let's talk about how much it will cost to delete the backup copy.

    And next week, we can talk about how much it will cost to delete the secondary backup.

    And eventually, we'll need to talk about the offsite backups.

    • And that is called paying the Dane-geld;
          But we've proved it again and again,
      That if once you have paid him the Dane-geld
          You never get rid of the Dane.

      -- Rudyard Kipling

  • No Social Security numbers, credit card details, trip location info or other data were taken, Uber said.

    So the people who didn't disclose an October 2016 attack until now assure us about the details of what was copied? Forgive me if I don't think it wise to trust the statements of those who don't disclose problems to the adversely affected in a timely manner. We've seen so many examples of other organizations later disclose that their attacks were worse than they first let on [slashdot.org], it'll be noteworthy if this is

  • by markdavis ( 642305 ) on Tuesday November 21, 2017 @10:30PM (#55600543)

    >"Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company."

    Translation:

    The Uber employees used the SAME logins/passwords on a GITHub site that was on the Internet as their credentials on ANOTHER site that handles their production data which was also on the Internet!

    Huge no-no!!! #1 rule- keep passwords private and secure/undisclosed. #2 rule- never use the same credentials on multiple sites (especially critical sites... most especially anything accessible on the Internet). This is like security 101...

    • by Anonymous Coward

      The production site:

      1) allowed access from public net with nothing more than a simple text password
      2) developers had access to production

      Why are these problems?

      1a) Developers are operationally stupid and lazy. They do dumb ass things like use the same login/password everywhere.
      1b) Access to production should always be limited to sysadmins/operations staff.
      1c) Access should require multiple authentication and be through vpn.
      2) Developers are operationally stupid and lazy. That's one of many reasons we don'

  • It’d been quiet on the Uber front for a couple months... I was getting really worried.

    Thank heavens things are back to normal!

    • The BBC reported it as 'corporate whack-a-mole' in Uber - just as soon as one crisis is dealt with, another one pops up ;-)

Don't panic.

Working...