
Uber Paid Hackers to Delete Stolen Data on 57M People - coloneltcb
https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data
======
rickcnagy
> Here’s how the hack went down: Two attackers accessed a private GitHub
> coding site used by Uber software engineers and then used login credentials
> they obtained there to access data stored on an Amazon Web Services account
> that handled computing tasks for the company. From there, the hackers
> discovered an archive of rider and driver information. Later, they emailed
> Uber asking for money, according to the company.

Don't check secrets into VCS, folks!

~~~
claudiulodro
I'm surprised Uber doesn't have their engineers set up 2FA for GitHub. Super
simple to implement and require organization-wide[1] and would have prevented
this. Then again, not storing credentials in GitHub would also have prevented
this . . .

[1] [https://help.github.com/articles/requiring-two-factor-
authen...](https://help.github.com/articles/requiring-two-factor-
authentication-in-your-organization/)

~~~
lhorie
Github 2FA has been part of the first-day training/laptop setup for a while
now (I joined in may) and there's security-related training in place as well.
I was told there are also scanners in place now that check repos, gists, etc
for secrets for exactly this type of mistake.

One snippet of the email the article didn't mention was that Sullivan's firing
happened pretty much right after Dara learned of the breach and an
investigation was conducted. It definitely inspires more confidence in
leadership seeing that the CEO will not tolerate unethical behavior.

~~~
msh
Uber will not tolerate unethical behavior, you got to be joking!?!?

~~~
lhorie
I think many people don't realize this, but the majority of the leadership
team from like a year or two ago is now gone, including Travis.

Also, Uber has been hiring a lot of new people - the ratio of new people vs
old timers is really high. I'm obviously just one anecdata point, but I
believe new hires (and a lot of old timers) want Uber to be an ethical
company, and many have joined the company specifically to tackle that
challenge. One great example that comes to mind was when one board member made
a sexist remark on an all-hands meeting a few months ago and by the end of
that same day, Liane Hornsey (who had just joined as the new head of HR) had
him give up his seat.

There's a big push towards trying to make things right, with the holden
report, the 180 days of change campaign, the implementation of new training
courses, anonymous complaint hotline for employees, etc. And the unspoken
message right now is pretty clear: inappropriate conduct _will_ get you fired,
even if you are the head of your org.

Obviously there's still a lot of work to be done, but I think we're at least
in the right track now.

~~~
drawnwren
This is good for Uber and their employees in the short term, but I can't help
but think it's bad for their ideals in the long run. There are a lot of
scenarios that look very bad for Uber economically and it would be a shame for
a culture shift to coincide with the realization of one of them.

~~~
lhorie
Honestly, I find that a lot of economic discussions on the media are highly
speculative (and dissonant to what I've seen circulated internally), and
things get just downright sensationalist on some topics, so I've been taking
news about Uber with a large grain of salt.

> it would be a shame for a culture shift to coincide with the realization of
> one of them

I think everyone at Uber has at least some idea about the P&L situation, but
there's no doubt in people's minds that we need to drop the go-fast-and-
dubiously culture and embrace a do-things-properly culture. If anything, I
think it's more likely that a major crisis would continue to drive home that
idea.

------
harry8
Every day we see more evidence that boards of directors and senior management
should be personally accountable financially and with respect to their liberty
for the company they are managing or overseeing doing foul things that they
_ought_ to have known.

The "I didn't know, I just took a vast salary to play golf" argument should
not be any kind of defence. If there is the real prospect of going to jail,
golfers will resign, those who take the job would actually take an interest
and have the ability to do so.

An idea whose time has come.

~~~
randerson
I'm in charge of security at a large e-commerce company. I do not play golf. I
mostly live in fear.

No sensible person would sign up for the CSO position if they risked jail time
when their company gets hacked. You can't really control it. A random engineer
could make a mistake that gets hackers a step closer. Or it could be a zero-
day vulnerability that nobody knows how to protect against.

There are millions of motivated adversaries out there and a finite number of
employees at your company to outsmart them. It's a game you can't win. The
larger your company becomes, the broader your attack surface becomes, and the
higher value a target you become.

You just have to hope that when you get hacked, it is a "forgiveable" hack
like a zero-day or highly targeted attack.

If CSO's are to be personally accountable for the malicious actions of others,
it needs to be due to clear negligence on their part and the responsibilities
need to be clearly defined.

~~~
harry8
Not because you got hacked. No. Hell no. I never suggested that and reject it
totally.

We're talking about cover up, if you cover up the fact someone stole private
data belonging to other people you took responsibility for. If you try and
pretend it didn't happen because you might get away with it then claim you
didn't know when it comes out? Then yes, absolutely, you deserve to risk jail
time for that. As does your board of directors.

CSOs, senior management, boards of directors should be personally responsible
for their own actions. They need to have something at stake that they really
dread losing when making the decision "perhaps we can get away with this?"

~~~
jbob2000
The problem with jail time is that the courts need to assess how much damage
was done to determine what a fair sentence is. How do you assess the damage
done during a data leak? Do you get one hour of jail time for each person's
data you leaked? Do you get a day per gigabyte leaked? What if nobody does
anything with the stolen data?

And how do you make that scale? If I miss a semicolon and leak 5 people's
data, then I'd hardly get any jail time. If I miss a semicolon and leak
150,000,000 people's data, I will die in prison. In both scenarios, I made the
same error, but the outcomes were insanely different!

~~~
Atheros
The law as plenty of experience dealing with sufficient nuance to distinguish
a mistake from negligence.

------
ipsum2
> Uber said it will provide drivers whose licenses were compromised with free
> credit protection monitoring and identity theft protection.

This happened more than a year ago, and only now that they're planning on
offering identity theft protection? That's ridiculous.

~~~
nathan_long
> Uber said it will provide drivers whose licenses were compromised with free
> credit protection monitoring and identity theft protection.

"Sorry we left uranium in your house a year ago and didn't bother telling you.
Here's a coupon for free cancer screenings."

------
chakalakasp
Man, I don't know if Uber is evil or if most tech companies are evil and Uber
just doesn't drop the kind of money on PR strategery that an evil company need
to drop in order to seem normal. But either way, holy cow does that company
come off as toxic. They've completely revolutionized the drive-for-hire
industry and all anyone ever hears about it what a D-bag their CEO is or how
toxic and mysogonist their work environment is or how hard they work to spy on
their employees and customers (to the point that the CEO of Apple had to have
a Come To Jesus talk with the CEO of Uber) or how their employees feel like
they are getting screwed or, now, how they are concealing massive data
breaches. It's like how I imagine Uber would be if it was run by Magneto
instead of Tony Stark.

~~~
brightball
I never quite know how to think about them. On the one hand, they’d changed an
entire industry in a way that people wanted but was getting serious resistance
from the entrenched players. They had to break a lot of rules and go around a
lot of people with a whole lot of connections to get where they are and in the
process made a lot of enemies.

I expect blowback. I expect negative news. They essentially pulled it off by
looking at every day as combat where fighting dirty was rewarded.

~~~
nemothekid
AirBnb had to fight a very similar path and the only bad press I can remember
about them was that tone deaf/ offensive political marketing campaign they
had.

~~~
sgustard
Headlines like "Airbnb hosts violently murder houseguest, police say" have
stuck with me.

------
odammit
Private repo or not, checking your credentials into git is amateur.

I’d normally say eventually it’d bite you if you fall into the habit and do it
on a public repo by accident but it looks like it can bite you on a private
one too.

Manage your secrets. Use something like Vault[1] or Pass[2] they’re free and
awesome projects.

I keep all of my secrets even non-prod ones in one of these two because if you
think about it, even your “non-prod” github credentials are kinda prod since
you have access to code.

1- [https://www.vaultproject.io/](https://www.vaultproject.io/)

2- [https://www.passwordstore.org/](https://www.passwordstore.org/)

Also when it comes to AWS secrets, give your developers read only access, make
them turn on MFA and assume a role that scopes permissions to the work they
need to do.

Leaking AWS secrets is really asking for it. The amount of bots that
consistently scan public git repos and then use the credentials to spin up
massive instances to mine crypto currency is impressive. I’ve seen it do
upwards of $10000 in AWS usage within five minutes of the commit containing
the credentials.

~~~
sillysaurus3
It may be amateur, but it's one of the most common mistakes. Even at top
companies.

~~~
odammit
Amateur may not have been the best word. Maybe easy or lazy or debt. Ive seen
it a lot where it was something that was inherited and the current team knows
its a problem, but they have a 1000 features to build and never get around to
fixing that debt.

~~~
sillysaurus3
The cure for this is to get a pentest. It forces you to care.

------
ProAm
If the FTC doesn't act on this they are toothless. Uber's blatant disregard to
anything accountable or respectable is astounding:

"In January 2016, the New York attorney general fined Uber $20,000 for failing
to promptly disclose an earlier data breach in 2014. After last year’s
cyberattack, the company was negotiating with the FTC on a privacy settlement
even as it haggled with the hackers on containing the breach, Uber said. The
company finally agreed to the FTC settlement three months ago, without
admitting wrongdoing and before telling the agency about last year’s attack."

~~~
gorbachev
One would hope the next settlement would have more teeth.

If I was running the FTC, I would not settle this time, because it's blatantly
obvious Uber was acting in bad faith last time around.

------
sthomas1618
"Here’s how the hack went down: Two attackers accessed a private GitHub coding
site used by Uber software engineers and then used login credentials they
obtained there to access data stored on an Amazon Web Services account that
handled computing tasks for the company. From there, the hackers discovered an
archive of rider and driver information. Later, they emailed Uber asking for
money, according to the company."

Seems to suggest they committed AWS credentials into source control?

~~~
chadbennett
81% of all breaches now originate from compromised credentials mainly acquired
from 3rd party data breaches or data leaks. Most organizations believe that
2FA and SSO are the answer but this proves that 2FA/SSO are not enough.

~~~
tabeth
Do you believe this kind of thing is simply unavoidable? I wonder if this
could've been avoided by simply making it impossible to access data without
being connected to a VPN in addition to having some sort of physical device
connected to your computer.

~~~
ajsharp
It's entirely avoidable. Just don't commit secrets to source control. Ever.

~~~
fiddlerwoaroof
I don’t think many people intentionally commit secrets to source control.
Frequently, it’s a matter of committing a bunch of work and accidentally
missing the credentials you stuck in some prototype code.

------
jtchang
"In January 2016, the New York attorney general fined Uber $20,000 for failing
to promptly disclose an earlier data breach in 2014."

Because you know...20k really really hurts for a company like Uber.

~~~
untog
I recall a story (that I'll probably recount incorrectly) about a daycare
business deciding that too many parents were arriving late to pick up their
children (meaning that staff had to stay late with the kids), so they
instituted a fine for late pickups.

The result was that _more_ parents were late. The reason being that the
parents effectively considered the fine a "late pickup fee", and one they were
more than willing to pay. If the parents were fined a day's daycare fee for
being ten minutes late you can bet their attitude would change.

I see company fines in the same light - they formalise the process of
absolving responsibility and moving on. Just pay the toll and continue to
handle your customer data cavalierly.

~~~
gr3yh47
>Just pay the toll

especially when the cost of doing the right thing is higher.

i mean look at HSBC - laundered trillions of dollars of mega-organized-crime
money. for a decade. 400m dollar fine probably isnt even .01% of what they
made off that endeavor

~~~
panarky
And they say we need less regulation of corporate behavior.

~~~
alexanderstears
Less regulation would be better than the system we have now - where large and
connected corporations can buy get out of jail free cards.

~~~
panarky
Please tell me more about how even less regulation would have held Uber
accountable.

~~~
alexanderstears
It wouldn't. But I'd wager that Uber isn't going to be held accountable (or
not very accountable) for this, so why not write the rules so that everyone
gets to be as cavalier? It'd save a lot of companies the headaches that go
along with I.T security.

~~~
panarky
Some drivers don't stop at stop signs.

Let's remove the stop signs so all drivers can be as cavalier.

It'd save a lot of drivers the headaches that go along with traffic laws.

~~~
Spivak
Better example. Almost everyone performs rolling stops at stop signs. Even
when people are ticketed they just pay it don't change their behavior. Why
have the fine at all?

~~~
colejohnson66
Because it’s basically free money for the departments the ticket money goes to

------
madamelic
Yep.

About that time my Uber account was 'hacked' and someone kept requesting rides
in Florida and I had to cancel them as fast as they made them.

I emailed Uber support and they got back to my 3 days later.

Then someone proceeded to try to gain access to every account I had with that
email and password (yeah, yeah, I know). The next worse was someone getting
into my DigitalOcean account and launching an instance.

It has finally settled down, I occasionally get alerts from people trying to
break into something but lots of 2FA and no shared passwords anymore.

I am not sure if this was Uber's fault or another site's but the timeframe of
Oct 2016 lines up.

~~~
asabjorn
In the disclosure it says that the attack included names, email addresses and
phone numbers. It did not contain any passwords or social security numbers, so
your passwords must have been compromised in some other way.

~~~
shallot_router
It's not related to this particular breach, but given this and Uber's other
issues, it's not out of the realm of possibility that at some point they had a
more serious breach involving loss of password hashes or interception of
credentials at login.

(But in all likelihood the poster's account was just compromised through the
usual means, otherwise there would be more reports of hacked accounts.)

~~~
asabjorn
The article states that this disclosure came out of an board commissioned
investigation into the activities of Sullivan’s security team. Do you think
that other more serious breaches discovered by this investigation is hidden,
or is this more of a general sentiment around how you perceive Uber?

~~~
kenbaylor
Oh there's more. Much more.

~~~
asabjorn
I don’t think these kind of comments adds much to the discourse, and we on HN
try to not comment when we don’t have anything to add.

Do you have any evidence that the action here by the new leadership to
disclose all breaches was disingenuous?

------
marenkay
... so honestly, at this point, we basically have another Uber thing every 2nd
week.

I do not get why there is no legal action taken against Uber or even steps to
shut it down.

So much of the stuff violate basic laws how to run a business, apart from the
humongous flaws in Ubers ethics and damaging effects on society.

~~~
skybrian
From the article: "After Uber’s disclosure Tuesday, New York Attorney General
Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy
Spitalnick said. The company was also sued for negligence over the breach by a
customer seeking class-action status."

~~~
marenkay
I read that, what I do not get is how the difference in judgement can be
justified.

Small companies will instantly get sued and pay fees ruining them for this
things. And that already the 1st time it happens. For Uber this is beyond ten
finger counting in terms of issues in the past two years.

It is just not having any consequences and by now from the legal side you can
conclude that Uber is a repeated offender which has not learned anything from
previous cases.

So, my point stands. When will this actually lead to consequences and justice
being served?

------
jedberg
Something about this is sitting right with me.

I know Joe (the ousted CISO). I’ve known him for almost 15 years, and worked
with him professionally in the past.

This is not like him. He was the most ethical lawyer I ever met. Everything
was by the book. He cares about privacy. He cares about users. He’s prosecuted
the worst of the worst.

Something here isn’t right.

~~~
bbarn
CSO/CISOs are basically there to be the fall person in the case of a data
breach. Your job is basically to implement process and policy to the point of
nearly breaking productivity, then get fired when that wasn't enough.

------
osrec
I am amazed at the things Uber gets through and is still standing after...

~~~
dijit
Never underestimate the power of marketing. My mother for instance would use
Uber over any ride-sharing system due to its insane exposure and the fact that
these stories remain relatively unheard of in comparison.

~~~
spike021
It's already way more common to use "Uber" as a verb, or even a noun, that
doesn't necessarily even mean Uber the company itself.

People have asked me before if I'm about "to uber" or "take an uber" someplace
and they say it in an obvious way that implies "any ridesharing company" (or
lyft in my case since most people know I only lyft nowadays).

Uber just as a word for ride-sharing has become ingrained and won't be easy to
get rid of, IMO.

~~~
malydok
Same as `googling` will long remain the synonym for `searching the internet`.

~~~
chimeracoder
> Same as `googling` will long remain the synonym for `searching the
> internet`.

That's more due to the ubiquity and dominance of Google itself.

It's rare to hear someone say "I Googled it on Bing" or even "Let me Google my
email" when they're using Outlook. Maybe not unheard-of, but definitely
nowhere near the threshold needed for genericization.

~~~
pbhjpbhj
>It's rare to hear someone say "I Googled it on Bing" //

True AFAIK but if you ever give computer support you'll find people "just
google it" and use the greeting page on their browser [aka "the internet"]
which is just as often Bing or Yahoo as it is Google. Google, the verb, is
definitely generic but the RTM holders of Google have several hundred million
of $currency to spend on lawyers to say it isn't.

------
stevenj
Ever since Susan Fowler told her story about what happened to her at Uber, I
have only used Lyft, and have encouraged all my friends to do the same.

I plan to never use Uber again.

~~~
misun78
Uber employee chiming in - while I entirely sympathize with HN's frustrations
around our ethics and can't really justify our actions around this data
breach, it is very much worth noting that Lyft would not exist were it not for
Uber's extremely aggressive practices. There were/are far too many
protectionist policies at play at most locales that -- not out of pure
coincidence -- needed a company as aggressive as Uber to pave the path for a
better option for both riders and drivers (over existing taxis).

We fought all the battles, took a hit on our reputation and set it up nicely
for Lyft who very smartly played along with the nice guy approach to
capitalize. Net-net, no Uber would have most likely meant existing taxis
everywhere and as most riders/drivers will tell you, there is nothing
inherently better about either app, they offer the same, pay the same but
vastly differ in perception.

That said, we took our aggressive attitude way too far. In an ideal world,
Travis would have evolved or replaced himself a couple of years back once the
company essentially reached escape velocity where our consumers themselves
became our most fervent supporters. Unfortunately that did not play out and
making a near perfect switch like that is probably unlikely.

Given this important context, I hope you will give Uber another chance as in
the end, Dara and the employees are genuinely trying to evolve by doing the
right things and putting all of this behind us. You can get some sense of this
from going to sites like reddit.com/r/uberdrivers (or r/lyft) and seeing the
changing perception at least from the driver side of things.

~~~
linkregister
I disagree that Lyft would not exist; Lyft invented the UberX category.
Originally Kalanick complained about Lyft's creative interpretation of the
law, before succumbing to internal employee pressure to introduce a
competitor. Years after its introduction, Kalanick admitted that he didn't
believe in UberX until it demonstrated its success.

That said, almost all of the notable legislative and regulatory battles were
conducted and won by Uber.

The wrongful actions by companies do get forgiven eventually, as toxic
executives leave (as in the case of the CEO, Legal Officer, and now the CSO),
but no public is foolish enough to immediately absolve any company of
wrongdoing. Uber will have a reputation for sexual harassment long after it
meets or exceeds the standards of other large companies.

~~~
lappet
> Lyft invented the UberX category

In fact, there was a company called SideCar[1] who popularized the idea of
ridesharing before Uber and Lyft. There was a time, maybe 2013 or 2014 when I
exclusively used Sidecar until Uber became more prominent. Uber was only
offering their high end cars at that time.

[1]
[https://en.wikipedia.org/wiki/Sidecar_(company)](https://en.wikipedia.org/wiki/Sidecar_\(company\))

------
tptacek
Amazon's access control and authorization system is the current most important
broken thing in the industry.

The Joe Sullivan details are the lurid stuff that propels news story copy, but
the important takeaway is that almost nobody, including companies with
_serious_ investments in security, can safely get a large-scale dev team
deploying onto AWS.

This story keeps getting re-told, and has been for something like 5 years now.
It's a problem, and it needs to get fixed, decisively.

~~~
cddotdotslash
Full disclosure: I'm the founder of CloudSploit[1] which aims to reduce these
risks.

You're definitely on to something here. While I wouldn't call AWS security
"broken," it is next to impossible to implement it correctly in any medium to
large size business. There are 30+ services that AWS provides, each with an
infinite number of security controls, JSON-based policies, etc. Cross-service
access is even worse. Almost every service has some form of sub control that
extends or complements the main security tool (IAM). KMS has key policies, ECR
has registry policies, SNS has delivery policies, etc. S3 has perhaps the most
confusing permission policy in existence, which has led to scores of high
profile hacks this year alone.

There are 12+ public regions now, with more coming every few months, each
fully enabled, yet segregated within the UI and API (which makes detecting
attackers who have embedded themselves in unused regions more difficult).

All it takes is literally one typo in a single user's policy and leaked
credentials and you're environment is completely compromised. Recovery is next
to impossible without basically starting from scratch because you'll never
find every tiny hole the attacker left as a backdoor for later without combing
through GB of CloudTrail logs.

Now take all that, put it in an organization with 500+ engineers and you can
see how easy it is for this to happen. Think you're safe by putting each team
in their own account? Well AWS supports cross account role provisioning and
engineers can easily set that up within their accounts. The spider web of
issues is endless.

[1] [https://cloudsploit.com](https://cloudsploit.com)

~~~
aptwebapps
> While I wouldn't call AWS security "broken," ...

That doesn't match with the rest of your comment. At all. What _would_ you
call broken, then?

~~~
cddotdotslash
The security itself is sound. AWS has very very few security incidents where
their security was compromised. KMS hasn't been broken (to anyone's public
knowledge). If you mark an S3 bucket as private, they've never been
accidentally exposed at the fault of AWS.

The issue is in the user's use of the security features. Do you call bcrypt
broken if someone uses a weak password and only 1 round of salting? Do you
call TLS broken if someone misconfigures their NGINX installation?

------
vthallam
> Uber said it will provide drivers whose licenses were compromised with free
> credit protection monitoring and identity theft protection

This got to be a running joke now. Companies lose the data and offer
credit/theft protection than facing the consequences. If Equifax could get
away with the giant breach, I am sure Uber will not even feel the heat. smh.

~~~
theDoug
I moved to the US in April was and shocked by the Equifax breach, but more
surprised to hear from a coworker how often these “free credit/identity
monitoring for a year” situations occur.

One co-worker is covered by no less than four groups who failed to look out
for him earlier, all for trusting companies to not screw up PII or remember
that data is a liability.

~~~
vthallam
Yeah, this happens a lot here. I mean the cheapest and most effective way for
companies to get away.

------
dantiberian
From [https://www.nytimes.com/2017/11/21/technology/uber-
hack.html](https://www.nytimes.com/2017/11/21/technology/uber-hack.html)

> Two hackers had stolen data about the company’s riders and drivers —
> including phone numbers, email addresses and names — from a third-party
> server, putting the personal data of more than 57 million people at risk.
> The hackers approached Uber and demanded $100,000 to delete their copy of
> the data [...].

> Uber acquiesced to the demands. Under the orders of Travis Kalanick, who was
> then its chief executive, and Joe Sullivan, the chief security officer, the
> company paid the ransom.

> Then Uber went further. The company tracked down the hackers and pushed them
> to sign nondisclosure agreements [...]. To further conceal the damage, Uber
> executives also made it appear as if the payout had been part of a “bug
> bounty” [...].

------
michaelbuckbee
IANAL but I did some basic visualization work as part of a story on US state
data breach regulations. What may be Uber's undoing is that they must have the
drivers license numbers for all of their drivers on file and that is
considered PII by 45 states (nevermind that they also missed their reporting
deadline).

And if you're interested, a gif of the data:

[https://imgur.com/Rm32MeC](https://imgur.com/Rm32MeC)

------
bogomipz
The CSO was able to arrange for $100K to be paid out without any oversight of
what that money was for?

If it was paid to hackers it's unlikely that finance cut a check. I'm
imagining this was paid in bitcoin or similar. How was this able to be
approved?

I'm guessing someone created a fake invoice? Wouldn't that constitute fraud?

~~~
tedunangst
Who needs to approve it? How would you know they didn't?

~~~
bogomipz
Generally your finance department needs approve purchases beyond a certain
dollar amount. This is pretty standard stuff.

If they got it approved as such don't you think the CEO would have been
informed that there was line item from Security for ransom?

The article states the CEO didn't find out about the hack until a month after.

~~~
tedunangst
I doubt the CEO of Uber is informed of every $100K transaction.

------
eddieplan9
This has been blown out of proportion.

\- This is not Equifax, which leaked hundreds of millions SSN; or LinkedIn,
which leaked hashed password of millions[1]; or Yahoo, which leaked personal
information of _billions_ , including security questions and hashed passwords
[2]; or Target, which affected 40MM credit cards [3].

"Compromised data [..] included names, email addresses and phone numbers of 50
million Uber riders around the world, [..] including some 600,000 U.S.
driver’s license numbers. No Social Security numbers, credit card information,
trip location details or other data were taken"

\- There is no gross incompetence. The breach was due to an AWS access key in
a _private_ github repo. I bet you can find enough developers in this forum
who store sensitive information in private GitHub repos without git
encryption, and who may or may not feel guilty, because of the (false) sense
of safety given by 1) the guarantee of github private repo and 2) the fact
that access keys can be revoked and are generally handled with less care.

\- The response by the new CEO is decisive and timely. The CSO was fired on
the same day the CEO learned about the incident. There is also internal
review, new advisor, and reasonable protection offered to the drivers
affected, even though there is no indication the data is leaked beyond the
thief, and driver license numbers are not the best for identify theft.

[1]
[https://en.wikipedia.org/wiki/2012_LinkedIn_hack](https://en.wikipedia.org/wiki/2012_LinkedIn_hack)

[2]
[https://en.wikipedia.org/wiki/Yahoo!_data_breaches](https://en.wikipedia.org/wiki/Yahoo!_data_breaches)

[3] [https://www.huffingtonpost.com/eric-dezenhall/a-look-back-
at...](https://www.huffingtonpost.com/eric-dezenhall/a-look-back-at-the-
target_b_7000816.html)

------
ejcx
I can not believe Joe Sullivan would just sit there during this. There has to
be so much more to this story.

I can not imagine he would be on board with negotiating with the hacker, and
cannot imagine him sitting idly for a year after the cover up.

~~~
kenbaylor
Regarding Joe's previous behaviour:
[https://www.theverge.com/2016/7/10/12127638/uber-ergo-
invest...](https://www.theverge.com/2016/7/10/12127638/uber-ergo-
investigation-lawsuit-fraud-travis-kalanick) [https://lawyerist.com/ubers-
secret-encrypted-far-reaching-in...](https://lawyerist.com/ubers-secret-
encrypted-far-reaching-investigation-opposing-counsel/)

A lot more will likely leak out now. Iceberg tip located.

------
sehugg
_At the time of the incident, Uber was negotiating with U.S. regulators
investigating separate claims of privacy violations. Uber now says it had a
legal obligation to report the hack to regulators and to drivers whose license
numbers were taken. Instead, the company paid hackers $100,000 to delete the
data and keep the breach quiet._

~~~
Rotten194
Only $100k? They really should have tried for more... not that I support
stealing PII.

~~~
trosi
They agreed to pay and nobody heard about it for a long time. I'd say they
asked for the right amount

------
wheelzr
Credit Monitoring is the shittiest way to resolve these issues.

I've stopped using any credit card numbers for anything ditial. I can change
paypal passwords weekly If I'm that paranoid.

------
leroy_masochist
> Joe Sullivan, the outgoing security chief, spearheaded the response to the
> hack last year, a spokesman told Bloomberg. Sullivan, a onetime federal
> prosecutor who joined Uber in 2015 from Facebook Inc....

Why on earth would a software-based company like Uber that stores a boatload
of confidential employee and customer information on its servers put a non-
technical person of any sort, lawyer or not, in charge of its security team?

~~~
eropple
Security, as far as a corporate entity is concerned, is fundamentally a way to
reduce business and legal risk. A lawyer at the top, making those decisions
with the input of technologists, seems like it should be reasonable when
things are working correctly. This isn't a failure of skillset or knowledge,
it's a failure of ethics and leadership. (Which should, to be clear, be
punished far more severely than skill-related incompetence.)

------
xedarius
Missing a trick these hackers, they don't want to ask for a one of payment,
they want to turn this business of theirs into a cashflow. Pay X a month and
we will keep the data safe. X could be a much smaller number than 100k. As we
all know they haven't deleted the data. Think of it as a security tax levied
by the internets.

------
Theodores
I wish I was a fly on the wall at Transport for London. Or to be at that
meeting TfL will be having with Uber, when Uber are going to magically prove
themselves to be a 'fit and proper' company. At some point after some British
chat about the weather someone on the TfL side of the table might ask: 'So,
that data breach...'

------
londons_explore
If these 'hackers' were white hat and signed a contract saying they
responsibly handled and deleted the data, and then uber checked the access
logs of the data and verified that nobody else accessed it, then IMO it is not
a data breach. It was a potential breach.

A white hat hacker you have an agreement with on how the data should be
handled is the same as an employee who has access to the same data, where you
also have an agreement on the employees use of the data.

You might say "Ooh, but can you trust the hacker not to keep a copy of the
data!?!", but it's exactly the same as saying "Can you trust the employee not
to copy the data?". I don't think a company would announce a data breach just
because the database administrator had access to a backup tape...

~~~
pserwylo
What you have described makes sense only if they were originally hired as
penetration testers. I think an external hack of this nature, even if done by
white hat hackers, should rightfully be treated differently.

Having said that, you raise an interesting point, because if this money was
paid as a bug bounty, then perhaps the lines would be blurred again. I guess
the difference is that a bug bounty would have more clearly defined parameters
about how far the hack should go. Logging into AWS using credentials that were
found lying around, then continuing on to download data, seems like it is
beyond the realm of reasonable bug-bounty hunting and responsible disclosure.

------
jagermo
Did they pinky-promise to delete the data? Sorry, but that is beyond naive.

------
alehul
Although obviously wrong on Uber's part, I'm curious: If they had informed law
enforcement, could it be possible to legally pay the hackers to delete the
data?

Hacks of this magnitude, especially in other cases where they involve credit
card information, cause millions in damages ultimately, however the black hats
involved (the initial part of that chain of events) sell that data for much
less. Could we cut the losses there, by paying the hackers? Would it be legal?
It could be a more serious version of a bug bounty.

------
yuvalmer
It seems they didn't learn from their mistakes. It sounds that the 2014 breach
was caused by the same mistake.

"That gist is believed to have contained a login key used by a hacker to
access an internal Uber database of 50,000 drivers."

[https://www.theregister.co.uk/2015/02/28/uber_subpoenas_gith...](https://www.theregister.co.uk/2015/02/28/uber_subpoenas_github_for_hacker_details)

------
BinaryIdiot
Whoa, Uber even had the hackers sign an NDA? Like, what were they going to do
if the hackers broke the NDA? That's just...insanity. The fact that Travis
knew about it as well smells like he could face charges.

[https://www.nytimes.com/2017/11/21/technology/uber-
hack.html](https://www.nytimes.com/2017/11/21/technology/uber-hack.html)

------
pcarolan
I don't know, paying off the hackers might have been the best call. It
prevented my data from being exposed into the wild vs notifying authorities
which would have all but guaranteed a leak. If the objective was to protect
Ubers' customers, mission accomplished. Should they have covered it up and not
disclosed it? No, but this is as a tough call ethically.

------
keyle
"For $100K we will delete the information, Scouts honor!"

...

------
chadbennett
Another breach that 2FA and SSO didn't stop. 81% of all breaches now originate
from compromised credentials mainly acquired from 3rd party data breaches.
Most organizations believe that 2FA and SSO are the answer but this proves
they are not enough.

------
NelsonMinar
It never fucking ends with this company, does it?

~~~
chris_wot
No, it does not. Tough luck if you are a drive, btw. You'll be made redundant
to self-driving cars soon.

------
fastball
Did anyone else read this title and assume that it meant Uber had stolen the
data of 57M people and then paid hackers to delete it? I feel like the word
"ransom" should probably be used somewhere in the title.

------
eyeareque
I really hope Lyft can take advantage of all the mistakes Uber has made.

I wonder if it is a good time to start a role at Uber or Lyft? I’m not sure
which one I would pick.

------
yeukhon
How can they be sure the hackers didn’t have another copy?

------
tibbon
I'm getting sick of this stuff. As a user of Uber (or Equifax), would I have
any case if I tried to sue them for mishandling private data (I live in
Massachusetts)?

[http://www.mass.gov/ago/doing-business-in-
massachusetts/priv...](http://www.mass.gov/ago/doing-business-in-
massachusetts/privacy-and-data-security/standards-for-the-protection-of-
personal.html)

~~~
omeid2
Maybe if you can organize a class lawsuit.

------
hwu2whag
Even if this was the correct way to handle such an incident, how can you be
sure that once you've paid the hackers they actually destroy the data?

------
chis
Why was this only worth 100K? How did they verify info was deleted? And how
does this show up on an expense report at the end of the year?

~~~
cube00
Security Penetration Testing

~~~
Strom
What would be the tax implications of this in USA? I imagine there isn't a
bill given by another entity, but this is rather a bitcoin/cash transaction.
In my country this would mean this payout would be hit with all the taxes [1],
pretty much doubling the cost.

\--

[1] Income tax, unemployment insurance, healthcare, and maybe even pension.
All going to the benefit of the country as there is no identifiable human on
the receiving end.

------
anigbrowl
And people wonder why I keep saying that Uber needs to have its business
license yanked or suffer some similarly drastic sanction or they'll just keep
right on doing it and others will follow the same strategy. I mean, how often
does a firm have to breach the trust of (just about) everyone it deals with
before it's time to punish it in some meaningful way?

------
halflings
They stored AWS storage credentials in clear, in a (private) Github repo...

This is so baffling coming from one of the largest tech companies in the
world.

Among other things, this shows that they do not have proper access policies to
user data (e.g anybody working at Uber can get access to any user's data),
which in my opinion is a larger issue than this individual hacking case.

~~~
x0x0
We already knew that -- viz Uber showing off their ability to track famous
users at a party.

see

[https://www.forbes.com/sites/kashmirhill/2014/10/03/god-
view...](https://www.forbes.com/sites/kashmirhill/2014/10/03/god-view-uber-
allegedly-stalked-users-for-party-goers-viewing-pleasure/)

[https://www.cnet.com/news/god-view-under-spotlight-as-
uber-i...](https://www.cnet.com/news/god-view-under-spotlight-as-uber-
investigation-intensifies/)

and

[https://www.cnet.com/news/uber-lawsuit-alleges-startup-
track...](https://www.cnet.com/news/uber-lawsuit-alleges-startup-tracked-
celebs-politicians/)

~~~
halflings
Yes, and this is from 2014! They really did not learn anything, and Kalanick's
apologies and statements about "becoming more mature" were all just bullshit.

------
HaoZeke
The problem of course is them storing private credentials on Github despite
numerous highlights on the site to not do so.

Private github sites are private as in hidden. Not as in digitally encrypted
bank vault.

What sort of tech company doesn't go for a self hosted git option anyway!?

Like Gitlab which comes with CI to keep the whole thing private.

Also self hosting allows an arbitrary level of security..

------
booleanbetrayal
At what point can we just let a company die? Is there even such a line to be
crossed anymore? Personal data leaks and illegal cover-ups, Greyball, utter
disregard for regulations, IP theft, a culture systemic harassment and sexism,
etc etc etc. Uber just needs to die so that the rest of us can have some
semblance of faith in the system left.

~~~
codinghorror
The "success at any cost" mentality may have some costs, in retrospect

~~~
booleanbetrayal
Definitely cost me my personal data!

------
sAbakumoff
> Here’s how the hack went down: Two attackers accessed a private GitHub
> coding site...

I am wondering what _private_ Github coding site stands for? If it is GitHub
Enterprise, then how those hackers would even access it from outside of the
uber network? Does it mean that they had access to Uber's VPN as well?

------
seanmccann
In about 2014 I noticed that the logged in API request, on Uber's website,
included full driver info nested under the ride JSON object. It included the
drivers full address, license, phone numbers, etc. They patched it a few
months later, but it was the worst data leak I've seen.

------
foobaw
So was the stolen data deleted? This could've easily just been part of a "bug
county," no?

Except when you actually steal data, you're not eligible to bounty. This means
the hackers had decent leverage and negotiation skills (maybe Uber could've
scared them with lawyers, etc).

------
jimjimjim
Someone needs to start a Top 10 Evil Corp web site.

maybe a yearly most evil corp awards.

because it looks like uber is relentlessly bad.

~~~
joveian
Not quite what you are looking for but the International Labor Rights Forum
does a great job of trying to change some of the worst of the worst practices
around the world (unfortunately, Uber is unlikely to make a top ten list).

[https://ilrf.org/](https://ilrf.org/)

------
tabeth
Wouldn't the easy solution to this class of problems be to require some sort
of physical device to be connected to your machine in order to access certain
sets of data? Assuming the device itself couldn't be spoofed, wouldn't that
solve this once and for all?

------
mannykannot
It seems that Uber has only paid the infiltrators to say they have deleted the
data. Putting aside, for the moment, all the legal and ethical issues, why
would anyone at Uber imagine that this would be in the slightest bit
beneficial?

------
ksk
If companies hiring the "best and brightest" can't keep your data secure, what
hope is there for the average non-tech company? Low tech lock-and-key
solutions don't seem so bad now. If only they could scale...

------
kenbaylor
And just for an FYI: California law SB1386 requires mandatory breach
notification when drivers license data is stolen.... which this team knew very
very well.

So this was willful. Expect many more exits.

------
yalogin
This is exactly why the CEO should lead by example. If the CEO himself does
shady stuff all the time and in fact encourages it, its normal and even
expected that the hack is covered up.

------
eeZah7Ux
The journalist speculated about "evidence that the files were actually
deleted" referring to the "hackers" deleting their copies of the extracted
data.

Really? Evidence of deletion?

------
ddmma
Massive data spill as Uber was hacked.. maybe email address is not so importat
but ride history and wherever location data is something quite sensitive ..
shift delete!

------
cmurf
I thought it was illegal to conceal breaches. Certainly there should be
disclosure requirements for publicly traded companies.

------
developuh
How should a startup or a company in this situation handle it properly ?
Should they come out clean to their users ?

------
ravirajx7
Paying hackers good move or bad move? Or Little bit of PR as well that they
can pay if they got hacked again?

------
sebleon
Meh, Uber is one of the good guys, compared to other American multinationals.

For starters, Chiquita Bananas intimidated farmers and union leaders with AK
47s and hired militias in Colombia [1].

[1]
[https://en.m.wikipedia.org/wiki/United_Fruit_Company#Aiding_...](https://en.m.wikipedia.org/wiki/United_Fruit_Company#Aiding_and_abetting_a_terrorist_organization)

------
petarb
Moral of the story, use two factor auth on GitHub and AWS to prevent
unauthorized access.

------
partycoder
And how exactly did they verify that the hackers actually deleted the data?

------
p3t3rp4n
These type of people actually have driving licences ...

------
k__
lol, I just understood they stole data and then paid the hackers to delete it
so nobody would suspect them spying on their users

------
0898
How did they know they'd delete it?

------
mikemaster2000
Uber should be shut down for stupidity.

------
gok
So was it bad to have paid the ransom?

------
jpkeisala
That company just keeps giving.

------
nvahalik
Aww man. If they were smart they would have announce a bug-bounty and then
just did things that way.

------
yawz
_> Uber paid hackers $100,000 to delete stolen data and keep quiet_

Really? Really? Come on!!!

------
aaroninsf
"Delete"

can't even lolz

------
revelation
Well I hope Uber asked for the hard drive shredder receipt this time around.

------
SubiculumCode
I think its time that Uber starts paying a real and deathly penalty for their
pattern of behaviors.

------
moomin
At this point if the next headline is “Uber sold nuclear submarine secrets to
China whilst kicking puppies” I won’t bat an eyelid.

------
wheelzr
Credit card numbers are a bug.

------
justinzollars
I woke up an Silicon Valley has really become an Evil place. What ever
happened to our mantra (really Google's but it reflected the whole valley)
"Don't be evil"?

We really need to change.

~~~
659087
> What ever happened to our mantra (really Google's but it reflected the whole
> valley) "Don't be evil"?

The kool-aid wore off and everyone realized it never had any meaning to begin
with.

~~~
quickthrower2
"Don't be evil" \- a command not a mantra.

