Industry responds as Uber suffers 57 million record breach, then pays hush-money to prevent disclosure to customers in shocking cover-up.
Here’s the skinny: in 2016 the app-based taxi supremo was breached by threat actors who managed to access the personal data of some 57 million Uber customers and drivers alike. The latter including some 600,000 whose names and driving license details were exposed. The breach is thought to have been facilitated by the discovery of Uber log-in credentials for Amazon Web Services (AWS) from a private area of the Github developer code depositary. So far, so routinely poor; but things then got worse, a lot worse. According to the Bloomberg reporters that uncovered the breach details, Uber then took the decision to pay off the attackers with $100,000 as part of a deal to delete any stolen data and keep silent about the breach. The CSO at the time, Joe Sullivan, has since parted ways with Uber. Quite why the company decided not to notify customers whose data was potentially compromised by this breach is, frankly, beyond me. Me, and much of the security industry it would seem; most of the coverage has been focussed on the hush-money aspect rather than the breach itself.