While after nearly six years, ride-sharing company Uber has officially admitted of hiding a 2016 data breach which impacted 57 million users worldwide, counterterrorism experts fear, terrorist and jihadist outfits might have taken advantage of this breach in gathering strategic information on their targets. By hiding such dangerous information, Uber certainly has committed serious crime.
According to media reports, to avoid criminal prosecution, the notorious ridesharing company has admitted that its personnel “failed to report the November 2016 data breach”, in spite of a concurrent investigation by the Federal Trade Commission (FTC) into Uber’s data security at the time.
The United States Department of Justice (DOJ) said Uber has “accepted responsibility for the acts of its officers, directors, employees, and agents in concealing its 2016 data breach”, and has agreed to pay US$148 million for civil litigation related to the incident.
This indelible data breach exposed unprecedented amounts of Uber’s data, including 600,000 US drivers’ license numbers and the information of those 57 million users.
Uber initially issued a US$100,000 ransom payout in an attempt to destroy the leaked information and keep the attackers quiet, however, this decision ultimately backfired into a slew of long-running legal repercussions.
The data breach remained undisclosed for a full year before finally being reported to government authorities by the then newly-appointed CEO, Dara Khosrowshahi.
In a blog post published in late 2017, Khosrowshahi said “None of this should have happened, and I will not make excuses for it”.
The attack was launched by two hackers, Brandon Glober and Vasile Mereacre, who utilized a collection of stolen credentials to infiltrate Uber’s systems.
Court documents reveal the two men used a sophisticated, “custom-built Github account checker tool” which took existing exposures of corporate login credentials from other websites and tested them against GitHub’s service.
After using this tool to gain access to Uber’s sensitive data, the two men contacted the company’s then Chief Security Officer, Joe Sullivian, and demanded the US$100,000 ransom in Bitcoin, which Uber management agreed to pay.
But surprisingly, Joe Sullivan was fired from Uber the following year, and in 2020, was charged with obstruction and failing to report a felony to authorities.
He is currently scheduled for a criminal trial with the Northern District of California in September.
While the recent non-prosecution agreement with the DOJ entails a long-awaited settlement between Uber and United States parties tied to the breach, the impacts of this 2016 attack are not confined to America alone.
Uber has faced ongoing scrutiny and investigations from around the globe for the breach, many of which have culminated in hefty penalties.
Among these was a fine £385,000 by the UK Information Commissioner’s Office, as well as a ruling of several Australian Privacy Principle violations by the Office of the Australian Information Commissioner (OAIC) in 2021.
Given the financial and reputational damages resulting from this attack and its subsequent cover-up, Uber has heavily increased its commitments to security and compliance over the past six years.
In addition to terminating several senior executives related to the incident, Uber has agreed to maintain a 20-year comprehensive privacy program with the FTC.
According to the DOJ, Uber further agreed to “implement a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments”.
Jill Hazelbaker, Senior VP of Marketing and Public Affairs at Uber, asked that the public not judge the company on its patchy history.
“We have not and will not make excuses for past behavior that is clearly not in line with our present values”. she said.
“Instead, we ask the public to judge us by what we’ve done over the last five years and what we will do in the years to come”.
Please follow Blitz on Google News channel