Uber Concealed Cyberattack That Exposed 57 Million People's Data

According to Bloomberg, hackers stole the personal data of 57 million customers and drivers from Uber. The massive breach was reportedly concealed by the company for more than a year. From the report: Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers were accessed as well, including some 600,000 U.S. driver's license numbers. No Social Security numbers, credit card details, trip location info or other data were taken, Uber said. At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers $100,000 to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

Here's how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

They paid off criminals?

[viperidaenz]

Sure, you can trust them to delete the data they stole.
They won't just take your hush money and sell the data anyway.

Re:They paid off criminals?

[Baron_Yam]

>Let's say you only want to keep the breach quiet...

Well, then, everything worked out!

Rats, if you're holding Uber stock

[rmdingler]

No Social Security numbers, credit card details, trip location info or other data were taken, Uber said.

Given Uber's track record, this is the guarantee equivalent of "The check's in the mail" and "No, those jeans don't make you look fat."

Re: Worse than that

The production site:

1) allowed access from public net with nothing more than a simple text password
2) developers had access to production

Why are these problems?

1a) Developers are operationally stupid and lazy. They do dumb ass things like use the same login/password everywhere.
1b) Access to production should always be limited to sysadmins/operations staff.
1c) Access should require multiple authentication and be through vpn.
2) Developers are operationally stupid and lazy. That's one of many reasons we don't allow them access to production at companies run by adults.

What have we learned (or further confirmed) about Uber?

1) Uber is not run by adults
2) Uber is evil and stupid and lazy
3) Developers are stupid and lazy
4) Uber should be put out of its misery asap but won't because they're "too big to fail" and have the backing of too many people with a lot more money than ethics or morals

Uber is what happens when money is the *only* thing a company cares about. Losing data in stupid ways, lying about it, lying about the lies, abusing women staffers, abusing women execs, abusing customers, abusing drivers, abusing the local government of every city they operate in, cheating the taxi companies (yes they are scumbags too but Uber has managed to out scumbag them), and generally making the other evil big name companies like Facebook, Google, Microsoft, and Apple look like fucming saints by comparison required tremendous active effort.

Uber didn't become that evil by accident. It starts at the top and works it's way through the entire organization until anyone insufficiently evil gets snuffed out. It cannot be purged except by death of the entire company. I do hope they stay in business however. Otherwise their scum will spread across the entire tech industry and take their evil ideas with them everywhere. It is much better all the shitty people stay in one place together. Keep in mind where they learned to behave if you see an Uber resume.