Last week, Uber disclosed that a pair of hackers had accessed the personal information of 57 million customers and drivers, and Bloomberg reported that Uber paid the hackers $100,000 to delete the data and stay quiet about the incident. The cyberattack affected riders and drivers all over the world, and included names, email addresses, phone numbers, and drivers license numbers.
This is the latest high-profile data leak in a string of incidents that has made 2017 feel like the year of cyberattacks. However, the Uber hack is additionally complex given that the company attempted to cover it up.
Uber was already knee-deep in other controversies over consumer data, said Christo Wilson, assistant professor in the College of Computer and Information Science at Northeastern and an expert on internet security and privacy. Here, he explains the probable motivation of the hack, as well as impending consequences.
The hackers reportedly requested $100,000 from Uber after accessing an archive of rider and driver information. Were you surprised by this amount?
This amount strikes me as being very low, given Uber’s valuation. It sounds like the attackers were novices. Uber was able to track the attackers down and make them sign non-disclosure agreements, which suggests that the company did not practice proper operational security, again bolstering the argument that they were novices. You also have to wonder why Uber didn’t give the attackers up to law enforcement if they were able to track them down.
What do you think motivated this cyberattack, especially if the hackers were novices, as you suggest?
The cybercrime underground is always looking for easy targets, and it sounds like Uber was a soft target. The attack began when the attackers found private authentication information that Uber engineers had accidentally exposed publicly on GitHub. In other words, the “attack”—if we can really call it that—required very little technical sophistication to perpetrate.
Extortion seems like the motivation. If the goal was to infiltrate Uber for corporate espionage, then the attackers wouldn’t have declared their presence to Uber. Similarly, if the goal was to embarrass Uber, then the attackers would have leaked the stolen information.
There have been several high-profile hacks this year, but this one stands out because Uber went to such great lengths to hide it. Why do you think that is?
Uber’s former management was infamous for its cavalier attitude toward privacy, rider safety, fair competition, and the law in general. For example, Uber recently got fined $8.9 million for failing to adequately vet drivers with criminal backgrounds. Orchestrating a cover-up seems par for the course for Uber.
There have almost certainly been other cover-ups. There was a fascinating paper, presented at this year’s Internet Measurement Conference, where the authors detected data breaches at several unnamed companies. The authors did the right thing and informed the companies, but almost uniformly the companies denied the accusations, failed to take corrective action, and never publicly acknowledged the breach. As it stands, companies have every incentive to deny culpability and cover up breaches.
What happens next? What do you think the consequences of this hack will be for customers and Uber?
Uber is going to be heavily fined for this, at a minimum. Uber already has a consent decree with the FTC for previous violations, and the fines go way up for multiple offenses. Then we get into the penalties that will be levied for violating state-specific breach notification laws like California’s. Noted legal scholar Chris Hoofnagle is estimating the damage will be around $500 million. Then we get into non-U.S. breach-notification laws like New Zealand’s. Remember, the Uber breach affects non-U.S. riders and drivers too.
Whether there will be criminal charges for conspiracy is unclear. The facts of the case seem pretty clear—that is, who knew what and when—so it will be interesting to see how this unfolds.