Uber Hid 57-Million User Data Breach For Over a Year

By now, the name Uber has become practically synonymous with scandal. But this time the company has outdone itself, building a Jenga-style tower of scandals on top of scandals that has only now come crashing down. Not only did the ridesharing service lose control of 57 million people’s private information, it also hid that massive breach for more than a year, a cover-up that potentially defied data breach disclosure laws. Uber may have even actively deceived Federal Trade Commission investigators who were already looking into the company for distinct, earlier data breach.

On Tuesday, Uber revealed in a statement from newly installed CEO Dara Khosrowshahi that hackers stole a trover of personal data from the company’s network in October 2016, including the names and driver’s license information of 600,000 drivers, and worse, the names, email addresses, and phone numbers of 57 million Uber users.

As bad as that data debacle sounds, Uber’s response may end up doing the most damage to the company’s relationship with users, and perhaps even exposed it to criminal charges against executives, according to those who have followed the company’s ongoing FTC woes. According to Bloomberg, which originally broke the news of the breach, Uber paid a $100,000 ransom to its hackers to keep the breach quiet and delete the data they’d stolen. It then failed to disclose the attack to the public—potentially violating breach disclosure laws in many of the states where its users reside—and also kept the data theft secret from the FTC.

“If Uber knew and covered it up and didn’t tell the FTC, that leads to all kinds of problems, including even potentially criminal liability,” says Williams McGeveran, a data-privacy focused law professor at the University of Minnesota Law School. “If that’s all true, and that’s a bunch of ifs, that could mean false statements to investigators. You cannot lie to investigators in the process of reaching a settlement with them.”

The Hack

According to Bloomberg, Uber’s 2016 breach occurred when hackers discovered that the company’s developers had published code that included their usernames and passwords on a private account of the software repository Github. Those credentials gave the hackers immediate access to the developers’ privileged accounts on Uber’s network, and with it, access to sensitive Uber servers hosted on Amazon’s servers, including the rider and driver data they stole.

While it’s not clear how the hackers accessed the private Github account, the initial mistake of sharing credentials in Github code is hardly unique, says Jeremiah Grossman, a web security researcher and chief security strategist at security firm SentinelOne. Programmers frequently add credentials to code to allow it automated access to privileged data or services, and then fail to restrict how and where they share that credential-laden software.

“This is all too common on Github. It’s not a forgiving environment,” says Grossman. He’s far more shocked by the reports of Uber’s subsequent coverup. “Everyone makes mistakes. It’s how you respond to those mistakes that gets you in trouble.”

Who’s Affected

Uber’s count of 57 million users covers a significant swath of its total user base, which reached 40 million monthly users last year. The company hasn’t notified affected users, writing in its statement that it’s “seen no evidence of fraud or misuse tied to the incident,” and that it’s flagged the affected accounts for additional protection. As for the 600,000 drivers whose information was included in the breach, Uber says it’s contacting them now, and offering free credit monitoring and identity theft protection.

How Serious Is This?

Mass spills of names, phone numbers, and email addresses represent valuable data for scammers and spammers, who can combine those data points with other data leaks for identity theft, or use them immediately for phishing. The even more sensitive driver data that leaked may offer even more useful private information for fraudsters to exploit. All of it contributes to the dreary, steady erosion of the average person’s control of their personal information.

But it’s Uber, not the average user whose data it spilled, that may face the most severe and immediate consequences. The company has already fired its chief security officer, Joe Sullivan, who previously led security at Facebook, and before that worked as a federal prosecutor. By failing to publicly disclose the breach for over a year, the company has likely violated breach disclosure laws, and should be bracing for hefty fines in many states where its users live, as well as its home state of California, says the University of Minneapolis Law School’s McGeveran. (In statements on Twitter embedded above, former FTC attorney Whitney Merrill echoed that interpretation of those breach disclosure laws.) “I would not be surprised to see states pursuing Uber on that basis,” McGeveran says.

Former FTC attorney Whitney Merrill echoed that interpretation Tuesday on Twitter:

If the cover-up included making false statements to the FTC during its investigation of the 2014 breach—even though it was a separate incident—that could have even more dire consequences. Making false statements to the commission’s investigators, McGeveran points out, is a federal criminal offense. “This is not just a casual chat over a cup of tea. it’s a formalized investigative procedure,” McGeveran says. “They’re already being asked investigative questions by a government official. They not only know about the breach, but they’re allegedly paying hackers to cover it up. They presumably omit this 57 million person breach from their disclosure to the FTC.”

“If all of that is true,” McGeveran reiterates, “that’s huge.”