During October 2016, hackers stole 50 million Uber rider's personal information that included their names, addresses, e-mail address and phone numbers. They also took 7million drivers information including around 600,000 US driving license numbers. Uber stated that no credit card, trip details or SS numbers were stolen.
During the time that the hackers stole the information, Uber was in negations with the US regulatory board regarding claims about violation of privacy. Rather than report the theft of the information Uber preferred to pay the hackers their ransomware attack of $100,000, and this led to the hackers deleting all information as well as keeping the incident quiet.
Uber CEO, Dara Khosrowshahi, who took up his position in September 2017 stated that "None of this should have happened, and I will not make excuses for it," he continued to stress that Uber is changing the way it works and does business.
While hackers are successful in breaching many companies such as Yahoo, Myspace, and Anthem amongst a long list of giants, Uber's handling of the situation by ex-CEO and founder Travis Kalanick is just another case adding up to his incompetent management of the company. It seems that Kalanick, who at the time of the attack was Uber's CEO only learned of the attack a month after it had taken place and hat came at a time that Uber had just finished settling a lawsuit in NY over data security disclosure and was in negotiations with the FTC about consumer data handling.
Sullivan, an Uber executive in charge of spearheading the hack response in Uber used to work as a federal prosecutor and had joined Uber after leaving Facebook back in 2015. His decision-making process has raised a lot of questions, and most of the decisions are now coming back to haunt Uber. This case was managed by Sullivan and was dealt with an outside law firm.
The hack attack was perpetrated by two hackers that gained access to a private GitHub coding site used by software engineers that worked for Uber. The hackers managed to gain the engineer's login credentials and access data that was stored in one of Amazon Web Services servers. With this login information, the hackers were able to access the rider and driver data and using ransomware, demanded money from Uber via e-mail.
There are a number of State and Federal regulations and laws that require mandatory reporting for such attacks, and Uber did not conform to these requirements. Khosrowshahi stated that after reviewing what had happened in the past, he realized that "At the time of the incident, Uber took immediate steps to secure the data and shut down further unauthorized access by the individuals. Uber also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."
Uber, under Kalanick's direction, has earned a very bad name in the industry, in fact in any industry. Their company flaunted most federal, State and Local regulations and as a result of their many inappropriate activities, the US has started around five probes into alleged bribes, illicit software, questionable pricing schemes and theft of a competitor's intellectual property. Uber also faces hundreds of lawsuits, and the latest global development was when the city of London banned Uber from working I their borders due to reckless behavior.
Uber was fined $20,000 in January 2016 by the Attorney General of New York for failing to disclose breaches in their systems in 2014. Khosrowshahi, the new CEO is facing stiff challenges, including this new development and stated that Uber is changing. In view of these new developments, Sullivan and senior lawyer Craig Clark were fired from Uber. Khosrowshahi also stated that he could not erase the past, but he will commit on behalf of every Uber employee to learn from the mistakes made in the past.
Tony West, Ubers new CLO replacing Salle Yoo stated that Salle did not know of the attack, and West has now been briefed about it, will start his official work for Uber on Wednesday this week. Uber also hired former general counsel at the NSA Matt Olsen on an advisory role to help support Uber through the current transformative times. Olsen will start by helping Uber analyses and restructure its security policies and personnel. Uber also hired Mandiant, a cybersecurity firm subsidiary of FireEye Inc., to investigate the hack.
Uber will release a statement soon that will claim that there was "no evidence of fraud or misuse tied to the incident." Uber will provide free credit protection monitoring and identity theft protection to drivers whose licenses were compromised.