Uber suffered massive data breach, then paid hackers to keep quiet
By Paul Ducklin, Sophos
November 12, 2017
surfaced today claiming that oft-controversial
According to Bloomberg, the data of 57,000,000 drivers and customers was stolen, after which Uber not only kept the breach secret from the victims, but also paid the hackers $100,000 to “delete the data [and] keep quiet”.
Apparently, Uber’s security chief, Joe Sullivan, lured to Uber from Facebook in 2015, has been sacked in the fallout.
Bloomberg quotes Uber as follows:
It seems that Uber’s programmers uploaded security credentials to a GitHub repository – GitHub is a place where you are supposed to store source code, not the keys to the castle! – where the hackers stumbled across them.
From there, the crooks were able to get into Uber servers hosted on Amazon, and from there to access the personal information involved in the breach.
If this sounds terribly familiar, Uber suffered a breach with a similar cause just ocer three years ago, an intrusion that was discovered in May 2014 but not disclosed until February 2015.