Cybersecurity journalism is a lot like the movies; you need a great villain to get the audience’s attention. Here comes Uber to the rescue of Equifax by knocking them off the top spot on the villains list. This week, Bloomberg revealed a ransom payout from Uber to keep hackers silent.
Uber is no stranger to controversy, privacy and security concerns. You want a story about unauthorized user tracking? You want a story about covering up customer safety issues? You want a story about sexual harassment at the highest corporate level? Uber has all of these and more. But up until now, customers didn’t feel their data was at risk for the entire world to see. Now that has all changed.
This hack involved some 57 million customer and driver accounts including names, email addresses and phone numbers. In addition, 600,000 Uber driver’s licenses were also compromised. But this is all old news already because while the breach occurred over a year ago, Uber payed out $100k in ransom to the hackers to keep this all silent and to destroy the data. Uber’s deception went even further to disguise the payout as a bug bounty according to the NY Times. Obviously the hackers held up their end of the deal when it came to the silence but how do we know that they didn’t simply keep the compromised data for a future selloff or that they will go back to Uber and ask for more ransom? Apparently the hackers signed an NDA in exchange for the money and Uber trusts these criminals not to expose this data in the future. But who trusts Uber?
IP Oh No
This serious lack of judgement and poor security practices reveals Uber as a company caring more about their future IPO than their drivers’ or customers’ private data. It has now lead to 2 more Uber execs being ousted including CSO, Joe Sullivan. This ransom payout was secretly arranged under former Uber CEO, Travis Kalanick, but current CEO, Dara Khosrowshahi in an emailed statement says, “None of this should have happened, and I will not make excuses for it…We are changing the way we do business.” This familiar lip service has been Uber’s mantra since the changing of the guard back in August of 2017.
It’s hard to say if this will put the final #DeleteUber nail in their coffin since they have weathered so much negative publicity already. What we do know is that Uber broke a cardinal rule in cybersecurity by paying ransom to criminals. This got them out of hot water temporarily but isn’t that the same as ‘out of the frying pan and into the fire’? Hackers will now be looking to score a new type of reverse bug bounty from Uber since they know that Uber caves and has deep pockets. This sets a dangerous precedent not only for other tech companies but for all customers of these companies.
I never advise anyone to pay ransom on compromised data unless there are lives on the line. Breach and ransom victims must always remember that there are no fast fixes and that they have gone into an unwilling business arrangement with criminals. In this case, the only advice I can offer is to choose your ridesharing (or any other) service carefully. Be sure that the service not only aligns with your values but also that the service has your safety and security atop their list of priorities. Stay safe.