In a record settlement, Uber has agreed to pay $148 million to U.S. regulators for failing to disclose a data breach in 2016, marking a costly resolution to an already embarrassing situation.
Although data breaches are - unfortunately - relatively common, this data breach stands out for two reasons. Firstly, the then-CEO Travis Kalanick and team paid the hackers $100,000 to go away quietly and destroy the stolen data. Secondly, Uber publicly disclosed the event an entire year after the fact.
According to Bloomberg, two private individuals accessed Uber source code on Github containing login credentials for an Uber-controlled account on Amazon Web Services. The hackers were able to obtain sensitive information inside Amazon Web Service using these credentials
Inside they found large archive files of rider and driver profiles, including 600,000 driver's license numbers. According to an official statement, no trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth were downloaded, but the files did contain "a significant amount of other information" including names, email addresses and mobile phone numbers.
Around half of the victims of the data breach lived in the U.S. but included users in many other countries including users in the U.K., Australia and the Philippines.
This breach represents a technically trivial but expensive attack on a company that fails to protect their sensitive accounts adequately.
Uber decided to pay the hackers $100,000 to destroy the stolen data and attributed the payment to its bug bounty program, according to the New York Times. Bug bounty programs are designed to reward those who privately report flaws in a company's software so the company can avoid the financial and reputational damage that would come from a real attack from malicious hackers exploiting the same vulnerabilities.
However, Uber violated several laws as part of the interaction with the hackers and the lack of cooperation with relevant authorities.
On 21st November 2018, Dara Khosrowshahi - the new Uber CEO - publicly disclosed the "Data Security Incident" on the company's blog.
While lacking in specifics of the breach, the post explains what happened and what actions were taken to improve the overall security at Uber - primarily the hiring and firing of top personnel and extra reporting requirements.
Uber's Chief Legal Advisor Tony West described the disclosure of the breach as "the right thing to do".
For failing to disclose the breach to the relevant users and authorities promptly, Uber has agreed on settlement terms including a payment of $148 million, changes to internal business practices and additional reporting of security incidents to U.S. state departments.
The cash portion of the settlement equates to $2.60 per user affected.
New York Attorney General Barbara D. Underwood made the following statements in a press release:
"This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation.
Similarly, California Attorney General Xavier Becerra said this was a violation of the public's trust:
Uber’s decision to cover up this breach was a blatant violation of the public’s trust. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law.
Aside from this settlement, there are still many ongoing legal disputes across the U.S. between drivers, riders, individual U.S. states and Uber regarding this and other security and privacy matters.
Perhaps the most significant conclusion to draw from this whole affair is that paying an attacker's ransom and then pretending the breach never happened at all doesn't end well for anyone except the attacker.
I'm a strong advocate of legitimate bug bounty programs as a way to crowd-source software security, but this is entirely separate from a company's legal responsibilities.
Disclosing the breach sensibly and promptly would likely have been the best course of action and time will tell if this will affect the Uber IPO that is anticipated for next year.