In today’s technological world, the cyber attack suffered by Uber a little over a year ago and its hiding resonates with force. In October 2016, the platform was attacked by a group of hackers who stole the personal data of 57 million customers and drivers. The information stolen, according to Bloomberg, included names, e-mail addresses, telephone numbers and, in the case of American drivers, driver’s license numbers.
Broken down, a total of 50 million users and 7 million workers were affected. Bank card numbers, travel details, social security numbers and other information, the company says, were not compromised. However, paradoxically, this is not the main problem .
An attack that could have been dwarfed compared to others like those suffered by Yahoo! or MySpace long ago, has jumped to the front line on all alarms for its hiding with the payment of $ 100,000 to the attackers. “None of this should have happened,” said Dara Khosrowshahi, the current CEO of Uber; but it has happened.
They had to communicate the attack and they did not
When everything happened, that October 2016, the technology company was engaged in negotiations with the US regulators on different claims on privacy violation issues. It was a delicate moment and the then responsible ones, in the first place the security chief, Joe Sullivan, decided to hide it going against the confidence of the users and drivers .
To make matters worse, according to the company itself, they had “a legal obligation” to communicate the hack to government agencies and affected people. They did not.
The attack went through several phases. The cybercriminals managed to access, first of all, a private GitHub encryption site used by company software engineers. From there they took their access credentials and with them they entered an Amazon Web Services account belonging to Uber. In it, finally, they found a file that contained all the information stolen.
The last step was, some time later and according to the company, to send them an email requesting money . A rescue, in the end.
“At the time of the incident, we took immediate measures to secure the data and close the unauthorized access of people,” Khosrowshahi said at the same time, he said, implemented security measures in order to restrict access and strengthen controls in your cloud storage accounts, fine, but they also paid the cyber-attackers.
To the pockets of these subjects, whose identity has not been revealed, they went to US $ 100,000. The purpose? They will erase the data obtained illicitly and keep the breach secret . A dangerous precedent that, in passing, financed criminals in the network.
The secret remained, of that there is no doubt. Because if this issue has been revealed it has been thanks to an external investigation carried out by a law firm that analyzed the activities of the security team commanded by Sullivan, who has been fired. A serious fact that and is under investigation by the New York Attorney General’s office.
About the effective erasure of these data by hackers nothing is known . Did they really do it?
One more from Uber
Travis Kalanick, Khosrowshahi’s predecessor, who took office last September, learned of the massive data theft in November of that year, only one month later. Something happened? No, we know . Kalanick declined to comment after being asked by the media, but Uber’s reputation continues to fall from scandal to scandal.
“We are changing the way we do business, putting integrity at the center of every decision we make and working hard to gain the trust of our clients,” says the current head of the department.
The delayed exercise of transparency is a step, yes , although it is more or less obligatory if they want to respect the laws of the country from which they operate. But it does not seem sufficient.
The handling of this breach is preceded by numerous polemics and accusations. Kalanick faced sound criticism at the time for his management of the company and its practices around the workers. In March we learned of the existence of Greyball , a secret program through which its users were spied on and attempts were made to avoid government control actions.
During the days following the approval of Trump’s immigration decree, Uber was accused of supporting him and a campaign to stop using the service emerged . We add to the list even more problems with the relationship you have with your workers; the most recent in London, being obliged to treat them as employees. As well as the accusations of abuses and sexisms denounced by extra-workers , the denunciation of one of its first investors for possible fraud or the suffering of othersecurity breaches.
Uber will have it difficult, very difficult, to regain confidence. Although its value continues at the highest.