For more than a year now, Uber Technologies has remained mute about a massive breach at the tech firm where hackers obtained personal details of over 57 million people, which include that of drivers and passengers.
Following the hack and threats from the hackers that they would leak the information to the public and dispose of it, the company’s Chief Security Officer Joe Sullivan and his deputy paid the black hat hackers a whopping $100,000 not to disclose the information.
However, when the information reached the public, the involved parties were forced to cut off relations with the company due to their involvement in concealing the hack and providing funds to pay the hackers.
As expected, every company values the safety and privacy of their customers, and thus some are willing to pay reasonable sums to ensure that a third party does not get access to the personal details.
And in the event that they do, they are willing to negotiate to ensure that the information is not leaked.
With this type of logic, we have a reason as to why Uber opted to negotiate with the hackers on the $100,000.
The details in the possession of the hackers include telephone numbers, email addresses, names of customers and the driver’s license numbers of Uber drivers.
The company further clarifies that more confidential data, such as credit card numbers, Social Security Numbers (SSNs), date of births and location, had not been affected.
It is likely that different servers were used by Uber to store various types of data based o the level of sensitivity.
When the hackers managed to compromise the system, it can be assumed that they did not get access to all servers, but rather a single or few that contained the information in their possession.
It is disconcerting that instead of Uber notifying the affected parties as well as law enforcement agencies in various countries, they chose to pay the hackers to keep the event discrete and not use the information obtained for further profit, such as by offering them on the dark web – which may lead to identity theft.
Following the revelations of the breach and the sequence of events, the incoming Chief Executive Officer Dara Khosrowshahi acknowledges that what transpired is highly regrettable and pledges to change the mode of operation in the tech firm.
Due to the magnitude of the breach, some parties have opted to pursue the matter and sue Uber for negligence. The move comes as a no surprise considering the immense effect the hack has on the affected parties.
For any given company that requests personal data of individuals, it is solely their responsibility to ensure that the information provided to them by an individual or entity is kept secure and only accessed by authorized parties.
In the case of Uber, the parties comprised of customers and drivers complain that the tech firm failed to meet its obligation of protecting confidential customer information by ensuring the security of the data stored in their servers.
The main culprits behind the hack, though unconfirmed, are likely Russian; thousands of users from the United Kingdom and the United States are complaining of getting billed for cab services in Moscow, Russia despite never having been there.
The reports which date back to early 2017 are a likely indication that perhaps the breach contained details of users’ financial information, which were then used to pay for free rides.
However, Uber maintains that there is no evidence suggesting that its clients were affected by the breach.
They further rrefusedto divulge any information about the black hat hackers. It could be speculated that there was an agreement between Uber and the hackers, and any violation of which would lead to the info getting leaked and bring the name of the company into a worse light.
The new management will have major challenges handling the mess of their predecessors. According to Bloomberg, it is ironic that Joe Sullivan, who joined Uber in a managerial capacity after quitting Facebook in 2015, has made decisions that have ultimately led to his dismissal from the company.
In the past, several high-profile technology companies have experienced breaches of varying magnitudes.
Based on the management and policies of a given company, the reactions differ; some follow laid-out, by-the-book procedures and immediately notify law enforcement agencies and their customers, whereas others ignore the threats and deal with the consequences.
It is worth noting that the breaches are not necessarily always a result of a hack. At times, misconfiguration of servers in the setup process as a result of human error can cause a leak – as was the case of the data breach at Verizon.
Customers who have uploaded their details are therefore advised to regularly check their bank statements and Uber accounts to ensure that unauthorized parties are not using their credentials to get free rides.
If an individual has had funds deducted from their account with the transaction labeled as a ‘cab ride’, they are advised to block the card because it will likely continue to be used until the card gets rejected.
Further, Uber requests affected users to report suspicious account activity through the help icon within their app.