• Share full article

Advertisement

Supported by

Uber Investigating Breach of Its Computer Systems

The company said on Thursday that it was looking into the scope of the apparent hack.

case study uber announces new data breach

By Kate Conger and Kevin Roose

Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack.

The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.

“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”

An Uber spokesman said the company was investigating the breach and contacting law enforcement officials.

Uber employees were instructed not to use the company’s internal messaging service, Slack, and found that other internal systems were inaccessible, said two employees, who were not authorized to speak publicly.

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach.” The message went on to list several internal databases that the hacker claimed had been compromised.

The hacker compromised a worker’s Slack account and used it to send the message, the Uber spokesman said. It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees.

The person who claimed responsibility for the hack told The New York Times that he had sent a text message to an Uber worker claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems, a technique known as social engineering.

“These types of social engineering attacks to gain a foothold within tech companies have been increasing,” said Rachel Tobac, chief executive of SocialProof Security. Ms. Tobac pointed to the 2020 hack of Twitter, in which teenagers used social engineering to break into the company. Similar social engineering techniques were used in recent breaches at Microsoft and Okta.

“We are seeing that attackers are getting smart and also documenting what is working,” Ms. Tobac said. “They have kits now that make it easier to deploy and use these social engineering methods. It’s become almost commoditized.”

The hacker, who provided screenshots of internal Uber systems to demonstrate his access, said that he was 18 years old and had been working on his cybersecurity skills for several years. He said he had broken into Uber’s systems because the company had weak security. In the Slack message that announced the breach, the person also said Uber drivers should receive higher pay.

The person appeared to have access to Uber source code, email and other internal systems, Mr. Curry said. “It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life,” he said.

In an internal email that was seen by The New York Times, an Uber executive told employees that the hack was under investigation. “We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” wrote Latha Maripuri, Uber’s chief information security officer.

It was not the first time that a hacker had stolen data from Uber. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete their copy of the data. Uber arranged the payment but kept the breach a secret for more than a year.

Joe Sullivan, who was Uber’s top security executive at the time, was fired for his role in the company’s response to the hack. Mr. Sullivan was charged with obstructing justice for failing to disclose the breach to regulators and is currently on trial.

Lawyers for Mr. Sullivan have argued that other employees were responsible for regulatory disclosures and said the company had scapegoated Mr. Sullivan.

Kate Conger is a technology reporter in the San Francisco bureau, where she covers the gig economy and social media. More about Kate Conger

Kevin Roose is a technology columnist and the author of “Futureproof: 9 Rules for Humans in the Age of Automation.” More about Kevin Roose

A Guide to Digital Safety

A few simple changes can go a long way toward protecting yourself and your information online..

A data breach into your health information  can leave you feeling helpless. But there are steps you can take to limit the potential harm.

Don’t know where to start? These easy-to-follow tips  and best practices  will keep you safe with minimal effort.

Your email address has become a digital bread crumb that companies can use to link your activity across sites. Here’s how you can limit this .

Protect your most sensitive accounts by creating unique passwords and adding extra layers of verification .

There are stronger methods of two-factor authentication than text messages. Here are the pros and cons of each .

Do you store photos, videos and important documents in the cloud? Make sure you keep a copy of what you hold most dear .

Browser extensions are free add-ons that you can use to slow down or stop data collection. Here are a few to try.

  • UpGuard BreachSight
  • UpGuard Vendor Risk

Product Features

Vendor risk assessments, security questionnaires.

  • Security Ratings

Data Leak Detection

  • Integrations
  • Financial Services

eBooks, Reports, & more

What caused the uber data breach in 2022.

Edward Kost

Edward Kost

The Uber data breach began with a hacker purchasing stolen credentials belonging to an Uber employee from a dark web marketplace. An initial attempt to connect to Uber’s network with these credentials failed because the account was protected with MFA. To overcome this security obstacle, the hacker contacted the Uber employee via What’s App and, while pretending to be a member of Uber’s security, asked the employee to approve the MFA notifications being sent to their phone. The hacker then sent a flood of MFA notifications to the employee’s phone to pressure them into succumbing to this request. To finally put an end to this notification storm, the Uber employee approved an MFA request, granting the hacker network access, which ultimately led to the data breach.

After completing the attack, the hacker compromised an Uber employee’s Slack account and announced the successful breach to the entire company.

Screenshot of the hacker's breach announcement in Uber's Slack channel

This isn’t the first time Uber has been hacked. In 2016, two hackers breached Uber’s systems , accessing names, email addresses, and phone numbers of 57 million users of the Uber app.

What Data Did the Hacker Access?

After successfully connecting to Uber’s intranet, the hacker gained access to the company’s VPN and discovered Microsoft Powershell scripts containing the login credentials of an admin user in Thycotic - the company’s Privileged Access Management (PAM) solution . This discovery significantly increased the severity of the breach by facilitating full admin access to all of Uber’s sensitive services, including DA, DUO, Onelogin, Amazon Web Services (AWS), and GSuite.

The hacker also allegedly accessed Uber’s bug bounty reports which usually contain details of security vulnerabilities yet to be remediated.

The 18-year-old hacker, believed to be associated with the cybercriminal group, Lapsus$, revealed the details of the attack in a conversation with cybersecurity researcher Corben Leo .

case study uber announces new data breach

Was any Sensitive User Data Stolen During the Uber Breach?

Despite the deep level of compromise the hacker achieved, no evidence of customer data theft has been announced. This is likely because the hacker wasn’t intent on causing harm but was, rather, chasing the thrill of a successful cyberattack and the hacker community respect that comes with it.

Had the hacker been motivated by financial gain, he would have likely sold Uber’s bug bounty reports on a dark web marketplace. Given the devastating data breach impact that’s possible with the findings of a bug bounty program, it would have sold for a very high price.

To say that Uber is lucky this hacker wasn’t an actual cybercriminal is a significant understatement. The company came so close to a complete system shutdown. From a cybersecurity perspective, it seems almost unbelievable that after taking complete control of Uber’s systems, the hacker just dropped everything and walked away. Without any security obstacles left to overcome, it would have been so easy to tie off the breach with a quick installation of ransomware.

Given Uber’s poor reputation for handling extorsion attempts, thankfully, this didn’t happen. When Uber was breached in 2016, the company paid the cybercriminals their $100,000 ransom in exchange for deleting their copy of the stolen data. Then, in an attempt to conceal the event, the company forced the hackers to sign a non-disclosure agreement and made it appear like the ransom payment was an innocuous reward within the company’s bug bounty program.

is your business at risk of a data breach?

4 Key Lesson From the Uber Data Breach

Several critical cybersecurity lessons can be learned from the Uber data breach. By applying them to your cybersecurity efforts, you could potentially avoid suffering a similar fate.

1. Implement Cyber Awareness Training

The fact that the Uber employee eventually gave into the flood of MFA requests in the initial stage of the attack is evidence of poor awareness of a common MFA exploitation tactic known as MFA Fatigue. Had the Uber employee been aware of this tactic, they would have likely reported the threat rather than falling victim to it, which would have prevented the breach from happening. The hacker also utilized social engineering techniques to fool the Uber employee into thinking they were a member of Uber’s security team, which is another common cyberattack tactic. 

Implementing cyber awareness training will equip your staff to recognize the common cyberattack methods that made this breach possible - MFA fatigue and social engineering.

The following free resources can be used to educate your employees about common cyber threats and the importance of cybersecurity:

  • What is Phishing?
  • What is Ransomware-as-a-Service?
  • What is Malware?
  • What is a Cyber Threat?
  • Why is Cybersecurity Important?
  • What is a Data Breach?

2. Be Aware of Common MFA Exploitation Methods

Not all Multi-Factor Authentication protocols are equal. Some are more vulnerable to compromise than others. Your cybersecurity teams should compare your current MFA processes against common exploit tactics and, if required, upgrade the complexity of authentication protocols to mitigate exploitation.

Learn about common MFA bypass methods >

3. Never Hardcode Admin Login Credentials Anywhere (Ever)

Probably the most embarrassing cybersecurity blunder in this incident is the hardcoding of admin credentials inside a Powershell script. This meant that the potential of an unauthorized user accessing uber’s sensitive systems was always there - all that was required was for someone to read the Powershell script and discover admin credentials contained therein.

This security flaw would have been avoided if secure coding practices had been followed. Admin credentials should always be stored securely in a password vault and certainly never hardcoded anywhere.

4. Implement a Data Leak Detection Service

If the Uber hacker had more malicious intentions, customer data woud have been stolen, published on the dark web, and accessed multiple times by cybercriminals before Uber even realized it was breached. It’s crucial for organizations to have a safety net in place for detecting dark web data leaks from undetected data breaches, from both first-hand and third-party attacks.

A data leak detection service notifies impacted businesses when sensitive data leaks are detected on the dark web so that cybersecurity teams can secure compromised accounts before they’re targeted in follow up attacks.

Learn how data leak detection can reduce the impact of ransomware attacks.

Text reading - Uber Security Report

See how your organization's security posture compares to Uber's.

View Uber's security report .

Learn about other Famous Data Breaches:

  • What Caused the Optus Data Breach?
  • What Caused the Medicare Data Breach?
  • How did LAUSD Get Hacked?
  • How did Plex Get Hacked?
  • How did Cash App Get Hacked?

Reviewed by

Kaushik Sen

Kaushik Sen

Ready to see upguard in action, join 27,000+ cybersecurity newsletter subscribers, a complete guide to data breaches.

case study uber announces new data breach

Related posts

How to prevent data breaches in 2024 (highly effective strategy), the 72 biggest data breaches of all time [updated 2024].

Abi Tyas Tunggal

9 Ways to Prevent Third-Party Data Breaches in 2024

What are cloud leaks, what is a supply chain attack examples & prevention strategies, zero trust as a defence against supply chain attacks.

  • Product Video
  • Release notes
  • SecurityScorecard
  • All comparisons
  • Security Reports
  • Instant Security Score
  • Third-Party Risk Management
  • Attack Surface Management
  • Cybersecurity

Corporate Compliance Insights

  • Writing for CCI
  • Career Connection
  • NEW: CCI Press – Book Publishing
  • Advertise With Us
  • See All Articles
  • Internal Audit
  • HR Compliance
  • Cybersecurity
  • Data Privacy
  • Financial Services
  • Well-Being at Work
  • Leadership and Career
  • Vendor News
  • Submit an Event
  • Download Whitepapers & Reports
  • Download eBooks
  • New: Living Your Best Compliance Life by Mary Shirley
  • New: Ethics and Compliance for Humans by Adam Balfour
  • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
  • CCI Press & Compliance Bookshelf
  • On-Demand Webinars: Earn CEUs
  • Leadership & Career
  • Getting Governance Right
  • Adam Balfour
  • Jim DeLoach
  • Mary Shirley

Corporate Compliance Insights

Executive Responsibilities and Consequences: A Case Study of Uber’s Data Breaches

Individuals potentially face criminal charges for failing to disclose a data breach.

smartphone with uber app open and toy black car on open road map

Organizations at risk of a data breach (that’s every organization, by the way) can learn something from Uber’s data privacy missteps. Squire Patton Boggs attorneys Colin Jennings, Ericka Johnson and Dylan Yépez offer key takeaways from the company’s high-profile data breaches.

On August 19, 2020, the former Chief Security Officer (CSO) for Uber Technologies Inc. (Uber) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million riders and drivers. Although an extreme case, it is a good reminder for companies and executives to take data breach disclosure obligations seriously.

The criminal complaint, filed in the U.S. District Court for the Northern District of California (“the Complaint”), appears to claim that Uber, through its former CSO, Joseph Sullivan, should have reported the 2016 data breach to federal investigators. But a business’s duty to disclose a data breach is not always clear, and there are often a myriad of laws, regulatory practices and consumer expectations when navigating a breach. Using Uber’s 2016 breach as a case study, company executives must be aware of and recognize the business and personal consequences associated with breach response, and specifically with intentionally concealing a breach.

The Obligation to Report a Data Breach is Often Not Straightforward

Across the world, countries have widely varying laws related to the protection of personal information and even greater variance on the requirements to disclose a breach of such information. Even within the United States, the definitions of “personal information” and “data breach” differ greatly from state to state, with no two state laws being identical, so businesses, particularly those operating on a national or global scale, must conduct multijurisdictional analyses to determine whether an obligation to disclose a given breach exists and, if so, the scope of the obligation. Often there are inconsistent laws and obligations, and regulatory and consumer expectations can vary greatly based on the nature, scope and context of the breach.

case study uber announces new data breach

Many laws require disclosure of a data breach only if there is a “reasonable risk of harm” to the individual(s) whose personal information was unlawfully accessed and/or exfiltrated. This requires businesses to determine whether, based on the totality of circumstances, it is reasonably likely that a breach of personal information will harm affected individuals. On the other hand, some laws do not require any risk of harm. Further, given that the forensic review of a data breach evolves over time, it is not uncommon for the initial findings to change dramatically over the course of a breach response. What often appears to be a limited attack can become a wholesale loss of sensitive consumer or business data – and oftentimes both simultaneously.

The legal analysis is then complex, fact-specific and ever changing. Perhaps, for example, only a portion of the sensitive data was exposed (e.g., only the last four digits of a social security number or only an individual’s last name). Maybe, due to insufficient logs, forensic investigators cannot rule out the possibility that an unauthorized third party accessed the sensitive data or moved laterally into human resources data or databases containing consumer financial information. Or perhaps evidence suggests that the cybercriminals appear to be staging sensitive data for exfiltration, but have destroyed any evidence that data was actually taken. These are but a few examples of factors that can make the obligation to report far from straightforward.

As Uber’s 2016 breach response indicates, the difficulty of ascertaining a business’s breach notification obligations is not a defense to those company executives who intentionally conceal a breach. As discussed below, company executives who ultimately have to decide whether to disclose a breach should take notice of the potential consequences of making the wrong decision.

A Case Study in Intentionally Failing to Report a Breach

The Complaint alleges that, in response to Uber’s 2016 breach, former CSO Joseph Sullivan “engaged in a scheme to withhold and conceal from the [Federal Trade Commission] both the hack itself and the fact that that data breach had resulted in the hackers obtaining millions of records associated with Uber’s users and drivers.”

At the time of the breach, Sullivan was helping oversee Uber’s response to a Federal Trade Commission (FTC) investigation into Uber’s data security practices, which had been triggered, in part, by another Uber data breach that occurred in or around 2014. Sullivan was “intimately familiar with the nature and scope of the FTC’s investigation.”

About 10 days after providing sworn testimony to the FTC, however, Sullivan received an email from “[email protected],” claiming to have found a “major vulnerability in uber [ sic ],” and threatening that the hacker “was able to dump uber [ sic ] database and many other things.” Within days, Sullivan’s security team realized that an unauthorized person or persons had accessed Uber’s data and obtained, among other things, a copy of a database containing approximately 600,000 driver’s license numbers for Uber drivers.

Based on available information, this massive data breach likely triggered Uber’s duty to notify under numerous jurisdictions’ data breach laws. By contrast, the 2016 breach appeared significantly more expansive than the 2014 breach, in which a cybercriminal accessed over 100,000 individuals’ personal information on a cloud-based data warehouse.

Based on the Complaint, Sullivan allegedly took affirmative measures to conceal the data breach and the resulting exposure of data. Among other things, he allegedly:

  • negotiated with the cybercriminals to pay $100,000 in exchange for the hackers to sign a nondisclosure agreement (NDA), “falsely represent[ing] that the hackers had not obtained or stored any data during their intrusion,” even though “[b]oth the hackers and Sullivan knew at the time that this representation in the NDA was false;”
  • “instructed his team to keep knowledge of the 2016 breach tightly controlled;”
  • “never informed the FTC of the 2016 data breach, even though he was aware that the FTC’s investigation focused on data security, data breaches and protection of [Personally Identifiable Information];” and
  • “removed certain details … that would have illustrated the true scope of the [2016] breach” from a prepared summary for the new Uber CEO – changes which “resulted in both affirmative misrepresentations and misleading omissions of fact.”

Sullivan’s alleged motives to cover up the 2016 hack and data breach are the concerns that all companies must assess in connection with their breach notification responsibilities.

First , the Complaint appears to allege that one motive to conceal the breach was to prevent further reputational harm to the company. Like Uber’s customers, individuals entrust their data to companies on a daily basis, from making purchases to requesting services. Companies know, therefore, that they risk losing revenue if their customers lose confidence in the protection of their data.

Understanding this dynamic, he “became aware the attackers had accessed [the cloud] in almost the identical manner the 2014 attacker had used,” according to the Complaint. “That is, the attackers were able to access Uber’s source code on GitHub (this time by using stolen credentials), locate [a cloud] credential and use that credential to download Uber’s data.” As such, the Complaint appears to allege that both the embarrassment of falling victim to the same attack vector and the associated reputational consequences may have motivated Sullivan to conceal the breach.

Second , the Complaint appears to allege that another motive for concealing the breach was to prevent additional regulatory scrutiny. In the United States, companies like Uber are subject to many state- and industry-specific regulators (e.g., state Attorneys General, the Securities and Exchange Commission, FTC) — often simultaneously. Additionally, outside of the United States there are numerous laws and data protection or other authorities that govern data breaches.

At the time of the breach, Sullivan was actively responding to the FTC’s inquiries to assist in reaching a settlement related to the 2014 breach. For example, he approved language to the FTC representing that “‘all new database backup files’ had been encrypted since August 2014,” when in fact, they had not. Sullivan’s fears may not have been misplaced. In light of the new information regarding the 2016 breach, the FTC effectively withdrew its previous settlement terms and added requirements to the resolution with Uber.

Ultimately, it appears that such attempts to rationalize and avoid Uber’s breach notification responsibilities may have led Sullivan to engage in the actions he did.

Lesson Learned

In a public statement, the FBI advised that, “[w]hile this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice.” In effect, the consequences of failing to disclose a data breach are the most extreme in cases where a notification obligation clearly exists and the company and its officers consciously decide to circumvent that obligation during the course of an ongoing investigation. While companies have incentives to rationalize and avoid their disclosure obligations (e.g., reputational harm, regulatory oversight, expense), this incident highlights the potential consequences executives should be aware of when weighing the business decision to disclose a breach. Disclosure and direct individual notification of a data breach is now the expectation, and the decision to not disclose must be very carefully weighed – taking into account law, regulatory practice and consumer/customer expectations. One size does not fit all, and the nature, scope and circumstance of the specific breach must be carefully assessed in real time.

Ultimately, the legal analysis to determine whether an obligation exists and the business decision to disclose the same are nuanced and complex. If you experience a data breach, it is best to retain counsel who is highly experienced in the nuances of data breaches and the complexities of data breach notification laws for help determining whether and how to disclose a given breach.

How COVID-19 is Shifting Tax Reporting Regulations

Cci media group launches book publishing division targeting global audience in compliance, ethics, risk, internal audit.

Colin Jennings, Ericka Johnson and Dylan Yépez

Colin Jennings, Ericka Johnson and Dylan Yépez

case study uber announces new data breach

Related Posts

Norton Rose Fulbright Litigation Trends 2024

Corporate Litigation Trends 2024

Patchwork data privacy laws deepen corporate legal exposure 19th Annual Survey of In-House Corporate Counsel Litigation Trends for 2024 What’s...

qantas planes on ground

How to Lose a Sterling Reputation in 3 Years: The Story of the ‘Lying Kangaroo’

Once a beloved cultural icon, Qantas has a long journey back into the hearts of the Australian public

Kroll Q3 Threat Landscape Report

Kroll Q3 Threat Landscape Report

“Human hacking,” better known as social engineering, is surging Social engineering takes center stage Kroll Q3 Threat Landscape Report What’s...

ransomware on a computer

Battling Ransomware Means Combining Emerging Tech With Tried & True Methods

With potential for steep fines & reputation loss, non-compliance is a non-option

CCI Press launches business book publishing

Privacy Policy

Founded in 2010, CCI is the web’s premier global  independent  news source for compliance, ethics, risk and information security. 

Got a news tip?  Get in touch . Want a weekly round-up in your inbox?  Sign up  for free. No subscription fees, no paywalls. 

Browse Topics:

  • Compliance Podcasts
  • eBooks Published by CCI
  • GRC Vendor News
  • On Demand Webinars
  • Resource Library
  • Uncategorized
  • Whitepapers

© 2024 Corporate Compliance Insights

Privacy Overview

Uber Users: What You Need to Know about Last Month’s Data Breach

MET cybercrime expert on how hacker likely gained access to company data and systems

Photo of an Uber sign is displayed at the company's headquarters in San Francisco. Metal sign reads "Uber" on a glass-paned building.

Educating employees is crucial to prevent hacks, BU cybersecurity expert says. File photo by Jeff Chiu/AP Photo

Lindsay Shachnow (COM’25)

Last month, the internal databases of American multinational ride-share company Uber were hacked . The unnamed 18-year-old who claimed responsibility for the hack said Uber’s ineffective security measures made the breach possible. The hacker, who was eventually arrested and is in police custody, is said to have gained access to Uber’s secure data through “social engineering,” which means manipulating or deceiving someone, often with email or phone calls, to gain access to personal or financial information. These manipulation methods are becoming commonplace in the world of cybercrime. By posing as a corporate information technology worker, the hacker claimed to have convinced an Uber contractor to reveal the password to Uber’s systems. Uber says it is also possible the hacker bought the corporate password on the dark web.

According to Uber, having obtained the contractor’s password, the hacker sent repeated log-in requests to the contractor’s account and was then able to bypass Uber’s two-factor log-in authentication—a system where a user is granted access after electronically confirming their identity twice—when the contractor finally accepted the authentication. The hacker was also admitted to the Uber Slack account and posted a message that read: “I announce I am a hacker and Uber has suffered a data breach.”

A security update from Uber says they believe the cybercrime group Lapsus$ is responsible for the attack. “We’re working with several leading digital forensics firms as part of the investigation,” Uber writes. “We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks.”

BU Today spoke with Kyung-shick Choi (MET’02), a Metropolitan College professor of the practice and director of its Cybercrime Investigation & Cybersecurity programs , about the implications of the hack and how companies and users can protect themselves. 

This interview has been edited for length and clarity.

with Kyung-shick Choi

Bu today: can you briefly describe the scope of uber’s security breach.

Choi: Uber’s security breach is quite an interesting case, because unlike other major breaches, I wonder if the hacker attained what they really wanted to attain. I was expecting some sort of ransomware attack so they could seek financial gain. But this time, it looks like they didn’t really get much. Of course, maybe Uber’s cybersecurity quickly responded to the incident, but they clearly stated they hacked right on the Slack. And so to me, that’s much more what the motivation could be. They already identified the potential suspect, Lapsus$. It’s a Brazilian hacker group—I presume a group of teenagers. We call them “cyber punks.” They have been really active recently and are gaining fame. I think maybe that’s why they were aiming at such a huge company.

BU Today: Can you talk about their methods, how they possibly gained access?

Choi: According to Uber, the hacker group purchased the log-in password from the dark web. It’s very common that hackers are trading, selling, and buying older password and log-in names. So consider, if they are cyber punks and not extremely skillful, just getting the credential through the dark web is the easiest way to commit crime, rather than a complicated hacking process. So maybe that’s what’s happening in this case.  Now, Uber has a two-factor authentication system, and so that’s double protection. With two-factor authentication, you get that notification and you have to press the buttons. So maybe [an Uber worker] thought, okay, I did it, and so they approve. So that’s one way, and that’s pure luck to be honest, if [the hackers] did it that way. Another way, if they’re really dedicated hackers, [is to] get deeper into the system. And then they [would] escalate the privilege and change the information to switch the contact to their own. It has to be a burner phone so that you can get your own authentication using the burner. That’s what pretty skillful hackers do, but it looks like the [Uber hackers were] not at that level. That’s my assumption. But normally cyber punks try and try and try, and can kind of luckily get in.

BU Today: What are the potential ramifications for users and their data as a result of the hack?

Choi: Personal data is so important. Every single person’s data can be weaponized and used against them. Your data can be used for criminal purposes, for account takeover, or financial gain. And then, of course, [hackers] can sell the information. And that’s why privacy is so important, in that we really have to protect ourselves.  I can expand it to sexual crime. And so if hackers find out the date of birth, location, and all of that, they can stalk people and then even commit sextortion. I’ve seen those cases a lot.  People think, oh, this is just one hack. But it’s not just one hack. The damage could be substantial to individuals, families, and the community at large. That’s why we have to be really cautious.

BU Today: What data is believed to be compromised by the attack?

Hackers downloaded the financial information from Slack. The financial information could be anything. It could be invoices or employment information. So, I think [Uber and the authorities] are currently investigating that and what types of information were compromised. According to them, nonsensitive data was exposed, but we don’t know until we really see what happened. Credit card information is encrypted and so that information is safe, and other travel information is secure. I think right after the incident [Uber] reported it to law enforcement and now the FBI is involved. I think [Uber] did the right thing, so once the FBI gets involved and they do a very extensive investigation, we will receive much more accurate information.

BU Today: Do you think Uber handled the situation well?

I didn’t see the evidence. If I investigated it, then maybe I could see the log file and when they really got hacked. In most hacking incidents, especially on a big scale, the corporations don’t report the victimization right away. I hope Uber reported it right away. At least the suspect and the hacking group left a message, but we don’t know when they really started. And so maybe they spent extensive time, maybe a month of time, until they got to that stage.  Commonly, major cases are similar in that way because [hacked companies] don’t want to ruin their reputation from the corporate side. They don’t want to give bad images to the public. Who’s going to use Uber if they constantly get hacked?  In this case, [Uber] saw the sign of the hack and they reported it to law enforcement. I think that’s the right way to do it. And that’s why maybe the damages, according to Uber, are minimal. Although, we don’t know yet.

BU Today: Are other rideshare apps vulnerable to similar attacks?

Of course. Because of the tendency of hackers, if they are professional hackers, they will never attack headquarters, because headquarters have a lot of security built right there. All the major hacks, if you really examine them, are not really happening by directly hacking into the main server. [Hackers] are always finding the small vendors. The size of the company could be very small. That’s a vulnerability right there. That’s also how you handle digital information, and that’s very important.  But definitely Lyft and all the others should be careful. So that means they need to educate their employees.

BU Today: What steps should Uber and other rideshare apps take to prevent similar attacks in the future?

I have my own theory and my theory has become dominant in computer crime victimization. It’s called “cyber-routine activities theory.” Very simple. There are two factors that contribute to computer crime victimization. So either online behavior, that means a human error, and/or there’s a security issue. Business emails getting compromised is always the number one computer crime victimization throughout the history of the internet or email.  Then another factor is cybersecurity. What if you don’t have basic protection? What if you don’t have the internal security management? Meaning, do you have a strong policy in place in your company? If something happens, incident response is so important. If you don’t have an incident response policy…they have everything. You just have to wait for law enforcement and watch the hackers stealing every single thing. You cannot do anything because you don’t know what to do.  Also important is educating employees. It’s critical. Many [hacking] cases, I would say close to 50 percent, come from an insider. So that’s why you have to maintain all the security credentials, especially when [employees] leave the company. Revenge is a huge factor. [If] they’re not just leaving nicely…[if] they’re doing something with it, maybe selling the information, or sharing all the credentials, or selling it to the dark web.

BU Today: It’s believed the hacker potentially gained access to Uber’s internal systems through a psychological manipulation tactic referred to as social engineering. How can Uber and other companies better prepare and train their employees to identify these persuasive techniques?

The effective training has to be hands-on training. So statistically speaking, hands-on training really boosts your long-term memory. This type of training is essential so that you feel it when you click it and see what happens. Our programs at MET are designed to train our future law enforcement in cybercrime investigation and cybersecurity. We’re creating a scenario. So we have a suspect and a victim. Students really feel it. They are investigating the case and see how [the hacker] sends a phishing email and they really observe. Also, technology quickly evolves, almost everyday. And then our online behavior quickly adapts. The companies should think about that and the changing technology. Companies should really know their employee populations and the characteristics for using social media, for example.

BU Today: How can users protect themselves and their personal data when using rideshare apps?

Anytime you hear an incident has happened, the first thing you have to do is change your passwords. If you see anything happen, like a hacking incident from the company side, I highly recommend changing passwords so [hackers] cannot do anything further.  And so of course, never use the password you have used before. If I were an Uber customer, I would have a very strong password. And be careful when you download apps, by making sure you are downloading genuine apps, because there are lots of replicated ones.

Explore Related Topics:

  • Cybersecurity
  • Digital Learning
  • Public Safety
  • Share this story
  • 4 Comments Add

Lindsay Shachnow (COM’25) Profile

Comments & Discussion

Boston University moderates comments to facilitate an informed, substantive, civil conversation. Abusive, profane, self-promotional, misleading, incoherent or off-topic comments will be rejected. Moderators are staffed during regular business hours (EST) and can only accept comments written in English. Statistics or facts must include a citation or a link to the citation.

There are 4 comments on Uber Users: What You Need to Know about Last Month’s Data Breach

Excellent interview with Dr. Choi. Very important points to consider regarding doing what we can to take responsibility to be more cyber-safe.

Dr. Choi states, “Hackers downloaded the financial information from Slack. The financial information could be anything. It could be invoices or employment information.”

I have never seen invoices or financial information stored in Slack. Can someone elaborate?

Other patterns to look for:

Get an email from or about old bank accounts or companies you’ve had dealings with. This could be an indicator of a compromise. One should think “Did I initiate this?” If you didn’t be suspect of that information.

As a active defender in cybersecurity, I can say we the fronts are being fought with very complex hacking methods and defenses. One that often get skipped is the human element.

We can secure information in a variety of ways, and almost all of them can be undone with the human factor. People may very well still be our best line of defense against cyber threats.

Protection against the threat actors is not just the responsibility of cybersecurity professionals, we work with you, to help protect you. The better informed our human firewalls are the more armed they to stop these threats, even the lazy ones.

@emily “I have never seen invoices or financial information stored in Slack. Can someone elaborate?”

I’m going to assume a lot here: Slack does have inherent security protocols, that companies often deem “internal”. So with an internal slack channel companies and employees feel these pathways are safe to divulge sensitive information. This is understandable for the following: Teams are separated with remote work and pandemics Teams maybe separated by buildings or someone is out of the office etc..

All viable reasons, but while the measure are there to protect the information systems, it doesn’t take into account “what if someone else sees it” from over the shoulder to screen capture.

So good security best practice is even in slack (secure channels) the assumption should be ” is this information valuable to someone other than the intended recipient?” If your answer is YES?

ENCRYPT or DO NOT POST IT in slack. Logs exists for many reasons, but historical data that is not redacted, backed up, or secured is always a risk.

Back to the human element. Its easier for the team to work remotely if we can post invoices in slack for quick viewing. That same ease of workflow, also provides ease of access to information that should be guarded,

Even if the intent is to improve, the risk of that improvement should be mitigated.

I am an uber driver and I feel as if my phone has been hacked ever since the end of August 2022. My phone company, us cellular can’t seem to figure out what is going on with my service not working. Even a new phone didn’t fix the problem.

Post a comment. Cancel reply

Your email address will not be published. Required fields are marked *

Latest from BU Today

Bu to conduct student climate survey on sexual misconduct, comm ave runway: february edition, free shuttle buses to replace t service on sections of b, c, and d lines february 20 to march 8, seven things to do with your kids over february school vacation, what to know about emergency contraception, new free peer listening program offered at student health services, terriers in charge: chloe patel (com’24), cameron monesmith got cancer, had two brain surgeries, and now he’s ready to graduate, the weekender: february 15 to 19, pov: i’m rhett. i have a few thoughts on bu’s new comfort dog, avoid condom failure: unveiling the secrets of effective protection, love is in the air on comm ave, who is the lucky madame web fan, beanpot heartbreak as bu falls 4-3 to northeastern in overtime, celebrating native american tribal nations: photography exhibition at 808 gallery, nor’easter closes campus tuesday, new career development director plans to expand initiatives to graduate students, how to stay safe while swiping, what king charles’ cancer could mean for the royal family, pov: health misinformation is rampant on social media.

Uber investigating cybersecurity incident after hacker breaches its internal network

case study uber announces new data breach

Uber confirmed on Thursday that it’s responding to a cybersecurity incident after reports claimed a hacker had breached its internal network.

The ride-hailing giant discovered the breach on Thursday and has taken several of its internal communications and engineering systems offline while it investigates the incident, according to a  report by The New York Times , which broke news of the breach.

Uber said in a statement given to TechCrunch that it’s investigating a cybersecurity incident and is in contact with law enforcement officials, but declined to answer additional questions.

The sole hacker behind the beach, who claims to be 18 years old, told the Times that he compromised Uber because the company had weak security. The attacker reportedly used social engineering to compromise an employee’s Slack account, persuading them to hand over a password that allowed them access to Uber’s systems. This has become a popular tactic in recent attacks against well-known companies, including Twilio , Mailchimp and Okta .

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach,” the Times reports. The hacker also reportedly said that Uber drivers should receive higher pay.

We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available. — Uber Comms (@Uber_Comms) September 16, 2022

According to Kevin Reed, CISO at cybersecurity company Acronis, the attacker found high-privileged credentials on a network file share and used them to access everything, including production systems, Uber’s Slack management interface and the company’s endpoint detection and response (EDR) portal.

“If you had your data in Uber, there’s a high chance so many people have access to it,” Reed said in a LinkedIn post, noting that it’s not yet clear how the attacker bypassed two-factor authentication ( 2FA ) after obtaining the employee’s password.

The attacker is also believed to have gained administrative access to Uber’s cloud services, including on Amazon Web Services (AWS) and Google Cloud (GCP), where Uber stores its source code and customer data, as well as the company’s HackerOne bug bounty program.

Sam Curry, a security engineer at Yuga Labs who described the breach as a “complete compromise,” said that the threat actor likely had access to all of the company’s vulnerability reports, which means they may have had access to vulnerabilities that have not been fixed. HackerOne has since disabled the Uber bug bounty program.

In a statement given to TechCrunch, Chris Evans, HackerOne CISO and chief hacking officer, said the company “is in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation.”

This is not the first time that Uber has been compromised. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete the data. Uber made the payment to the hackers but kept the news of the breach quiet for more than a year.

If you know more about the Uber breach, you can contact this author via Signal at +44 1536 853968.

To revisit this article, visit My Profile, then View saved stories .

  • Backchannel
  • Wired World
  • Artificial Intelligence
  • Newsletters
  • Wired Insider

Andy Greenberg

Hack Brief: Uber Paid Off Hackers to Hide a 57-Million User Data Breach

Image may contain Cushion Transportation Vehicle Car Automobile Human Person Clothing Apparel Coat and Overcoat

By now, the name Uber has become practically synonymous with scandal . But this time the company has outdone itself, building a Jenga-style tower of scandals on top of scandals that has only now come crashing down. Not only did the ridesharing service lose control of 57 million people's private information, it also hid that massive breach for more than a year, a cover-up that potentially defied data breach disclosure laws. Uber may have even actively deceived Federal Trade Commission investigators who were already looking into the company for distinct, earlier data breach .

On Tuesday, Uber revealed in a statement from newly installed CEO Dara Khosrowshahi that hackers stole a trover of personal data from the company's network in October 2016, including the names and driver's license information of 600,000 drivers, and worse, the names, email addresses, and phone numbers of 57 million Uber users.

As bad as that data debacle sounds, Uber's response may end up doing the most damage to the company's relationship with users, and perhaps even exposed it to criminal charges against executives, according to those who have followed the company's ongoing FTC woes. According to Bloomberg , which originally broke the news of the breach, Uber paid a $100,000 ransom to its hackers to keep the breach quiet and delete the data they'd stolen. It then failed to disclose the attack to the public—potentially violating breach disclosure laws in many of the states where its users reside—and also kept the data theft secret from the FTC.

"If Uber knew and covered it up and didn’t tell the FTC, that leads to all kinds of problems, including even potentially criminal liability," says William McGeveran, a data-privacy focused law professor at the University of Minnesota Law School. "If that's all true, and that’s a bunch of ifs, that could mean false statements to investigators. You cannot lie to investigators in the process of reaching a settlement with them."

According to Bloomberg, Uber's 2016 breach occurred when hackers discovered that the company's developers had published code that included their usernames and passwords on a private account of the software repository Github. Those credentials gave the hackers immediate access to the developers' privileged accounts on Uber's network, and with it, access to sensitive Uber servers hosted on Amazon's servers, including the rider and driver data they stole.

While it's not clear how the hackers accessed the private Github account, the initial mistake of sharing credentials in Github code is hardly unique, says Jeremiah Grossman, a web security researcher and chief security strategist at security firm SentinelOne. Programmers frequently add credentials to code to allow it automated access to privileged data or services, and then fail to restrict how and where they share that credential-laden software.

"This is all too common on Github. It’s not a forgiving environment," says Grossman. He's far more shocked by the reports of Uber's subsequent coverup. "Everyone makes mistakes. It’s how you respond to those mistakes that gets you in trouble."

Uber's count of 57 million users covers a significant swath of its total user base, which reached 40 million monthly users last year. The company hasn't notified affected users, writing in its statement that it's "seen no evidence of fraud or misuse tied to the incident," and that it's flagged the affected accounts for additional protection. As for the 600,000 drivers whose information was included in the breach, Uber says it's contacting them now, and offering free credit monitoring and identity theft protection.

Mass spills of names, phone numbers, and email addresses represent valuable data for scammers and spammers, who can combine those data points with other data leaks for identity theft, or use them immediately for phishing. The more sensitive driver data that leaked may offer even more useful private information for fraudsters to exploit. All of it contributes to the dreary, steady erosion of the average person's control of their personal information.

But it's Uber, not the average user whose data it spilled, that may face the most severe and immediate consequences. The company has already fired its chief security officer, Joe Sullivan, who previously led security at Facebook, and before that worked as a federal prosecutor. By failing to publicly disclose the breach for over a year, the company has likely violated breach disclosure laws, and should be bracing for hefty fines in many states where its users live, as well as its home state of California, says the University of Minnesota Law School's McGeveran. (In statements on Twitter embedded above, former FTC attorney Whitney Merrill echoed that interpretation of those breach disclosure laws.) “I would not be surprised to see states pursuing Uber on that basis,” McGeveran says.

OpenAI Gives ChatGPT a Memory

Lauren Goode

OpenAI’s Sora Turns AI Prompts Into Photorealistic Videos

Steven Levy

23andMe Is Under Fire. Its Founder Remains ‘Optimistic’

Emily Mullin

The Story Behind Elon Musk’s Tweet Restriction Fiasco

Zoë Schiffer

Former FTC attorney Whitney Merrill echoed that interpretation Tuesday on Twitter:

This content can also be viewed on the site it originates from.

If the cover-up included making false statements to the FTC during its investigation of the 2014 breach—even though it was a separate incident—that could have even more dire consequences. Making false statements to the commission’s investigators, McGeveran points out, is a federal criminal offense. “This is not just a casual chat over a cup of tea. it’s a formalized investigative procedure,” McGeveran says. “They’re already being asked investigative questions by a government official. They not only know about the breach, but they’re allegedly paying hackers to cover it up. They presumably omit this 57 million person breach from their disclosure to the FTC.”

“If all of that is true,” McGeveran reiterates, “that’s huge.”

case study uber announces new data breach

Kate O'Flaherty

The Mystery of the $400 Million FTX Heist May Have Been Solved

Matt Burgess

A Startup Allegedly ‘Hacked the World.’ Then Came the Censorship&-and Now the Backlash

Nicole Tisdale

The Far Right’s Favorite Web Host Has a Shadowy New Owner

William Turton

Phone number

  • Help Center

case study uber announces new data breach

  • Data Breaches

Uber Data Breach Affects 57 Million Rider and Driver Accounts

Facebook Contact

Steve Symanovich

Staff writer

A man using his phone to hail a rideshare, highlighting the potential risks of using online services like Uber after a data breach.

Uber Technologies, Inc. disclosed that hackers stole the personal information of some 57 million customers and drivers from the ride-sharing company, according to a report by Bloomberg News. The news outlet also reported that, for more than a year, Uber concealed news of the data breach, which was discovered in late 2016.

In a statement on its website and attributed to CEO Dara Khosrowshahi, the company said the information included:

  • The names and driver’s license numbers of around 600,000 drivers in the United States.
  • Some personal information of 57 million Uber riders and drivers around the world. This information included names, email addresses and mobile phone numbers.

Uber rider or driver? Here’s what you need to know:

For Uber riders, the company says it doesn’t believe individuals need to take action. “We have seen no evidence of fraud or misuse tied to the incident,” its statement to riders said . “We are monitoring the affected accounts and have flagged them for additional fraud protection.”

That said, it is possible for identity thieves to launch phishing attacks, appearing to come from Uber, hoping to trick customers into providing personal information, such as account credentials or payment card information. It’s always important to check the actual email address to ensure a message is from the company or person it appears to be from. Also, don’t click on an emailed link or attachment without verifying the email’s authenticity.Uber says it’s notifying its drivers whose driver’s license numbers were accessed and are providing them with free credit monitoring and identity theft protection services. It’s providing additional information for Uber drivers on its website.

How the Uber breach happened

Uber said two people who didn’t work for the company accessed the data on a third-party cloud-based service that Uber uses. The company also said that outside forensics experts have not seen evidence that the hackers accessed other types of information. Un-accessed information includes:

  • Trip location histories
  • Credit card numbers
  • Bank account numbers
  • Social Security numbers
  • Dates of birth

Bloomberg News reports that company executives originally paid the hackers $100,000 to delete the data and keep news of the data breach quiet. In its statement, Uber said that two individuals who led the original response to the incident are no longer with the company, effective Nov. 21, 2017, the date the company went public with news of the breach.

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Thumbnail Image Alt Text

Start your protection, enroll in minutes.

Sign up for promotional emails

Copyright © 2024 Gen Digital Inc. All rights reserved. All trademarks, service marks, and tradenames (collectively, the "Marks") are trademarks or registered trademarks of Gen Digital Inc. or its affiliates ("Gen") or other respective owners that have granted Gen the right to use such Marks. For a list of Gen Marks please see GenDigital.com/trademarks.

  • International edition
  • Australia edition
  • Europe edition

Uber’s CEO Dara Khosrowshahi said: ‘None of this should have happened, and I will not make excuses for it.’

Uber concealed massive hack that exposed data of 57m users and drivers

  • Firm paid hackers $100,000 to delete data and keep breach quiet
  • Chief security officer Joe Sullivan fired for concealing October 2016 breach

Uber concealed a massive global breach of the personal information of 57 million customers and drivers in October 2016, failing to notify the individuals and regulators, the company acknowledged on Tuesday.

Uber also confirmed it had paid the hackers responsible $100,000 to delete the data and keep the breach quiet, which was first reported by Bloomberg .

“None of this should have happened, and I will not make excuses for it,” Uber’s chief executive, Dara Khosrowshahi, said in a statement acknowledging the breach and cover-up. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

A timeline of Uber's terrible year

Uber’s decision to lift surge pricing during a New York taxi drivers’ work stoppage in protest of the Trump travel ban prompts a  viral #DeleteUber campaign .

Former Uber engineer Susan Fowler  publishes a blog post  with allegations of widespread sexual harassment and gender discrimination. 

The New York Times exposes Uber’s use of  Greyball , a tool to systematically deceive authorities in cities where Uber was violating local laws.

Uber admits it has for years been  underpaying New York City drivers  by tens of millions of dollars. 

Uber  fires 20 employees  following the conclusion of an investigation into sexual harassment and workplace culture. 

Uber is  sued by an Indian passenger  who was raped by an Uber driver after reports reveal that a top executive had obtained the woman’s medical records, allegedly in order to cast doubt upon her account.

CEO Travis Kalanick  resigns .

The  Wall Street Journal  reports that Uber had rented fire-prone cars to drivers in Singapore, despite knowing that the vehicles had been recalled over serious safety concerns. 

Uber  loses its license to operate in London  due to a lack of corporate responsibility. The company is appealing the decision.

Uber  admits concealing  a 2016 breach that exposed the data of 57 million Uber customers and drivers, failing to disclose the hack to regulators or affected individuals. The company paid a $100,000 ransom to the hackers to destroy the information and keep the breach quiet.

Hackers stole personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States. The company said more sensitive information, such as location data, credit card numbers, bank account numbers, social security numbers, and birth dates, had not been compromised.

In his statement, Khosrowshahi said the company had “obtained assurances that the downloaded data had been destroyed” and improved its security, but that the company’s “failure to notify affected individuals or regulators” had prompted him to take several steps, including the departure of two of the employees responsible for the company’s 2016 response.

Uber’s chief security officer, Joe Sullivan, was one of the two employees who left the company, Bloomberg reported.

The company’s failure to disclose the breach was “amateur hour”, said Chris Hoofnagle of the Berkeley Center for Law and Technology. “The only way one can have direct liability under security breach notification statutes is to not give notice . Thus, it makes little sense to cover up a breach.”

Under California state law, for example, companies are required to notify state residents of any breach of unencrypted personal information, and must inform the attorney general if more than 500 residents are affected by a single breach.

“The hack and the cover-up is typical Uber only caring about themselves,” said Robert Judge, an Uber driver in Pittsburgh, who said he had yet to receive any communication from the company. “I found out through the media. Uber doesn’t get out in front of things, they hide them.”

Uber said in a statement to drivers that it would offer those affected free credit monitoring and identity theft protection.

According to Bloomberg, the breach occured when two hackers obtained login credentials to access data stored on Uber’s Amazon Web Services account. Paul Lipman, CEO of cybersecurity firm BullGuard, said that the fact that the data was being stored unencrypted was “unforgivable”.

“That’s just a complete misstep from an information security viewpoint,” he added.

Uber CEO Dara Khosrowshahi.

The New York state attorney general’s office has opened an investigation into the data breach, a spokeswoman confirmed.

Uber’s potential civil liability from the breach is complicated by the fact that the United States’ various federal appellate courts are divided over how to treat data breach lawsuits. Some courts allow individuals to join class action lawsuits if they are simply at greater risk of having their identities stolen due to a breach, while other courts require plaintiffs to show that their personal information has actually been misused.

In June, health insurer Anthem settled litigation over a 2015 breach affecting 79 million people for a record $115m.

“Non-disclosure creates a practical risk in the hundreds of millions,” said Hoofnagle, who noted that companies can pay third parties to handle the fallout from a security breach – including notifications – for fees in the tens of millions. “Here’s the good news: drivers will finally squeeze money out of Uber.”

The hack and subsequent concealment is just the latest in a string of scandals and crises that Khosrowshahi inherited from his predecessor, Travis Kalanick, who was forced out of the $68bn startup in June.

The year started out with the trend-setting #DeleteUber viral boycott campaign , which arose after the company was accused of exploiting a New York taxi drivers’ work stoppage protesting against Trump’s travel ban.

Then in February, former employee Susan Fowler published a blogpost alleging a pervasive culture of gender discrimination and sexual harassment at the company.

The next month saw a New York Times report that for years Uber had been running a secret program to systematically deceive law enforcement officials in cities where its service violated regulations. Officials attempting to hail an Uber during a sting operation were “greyballed”; they might see icons of cars within the app navigating nearby, but no one would pick them up.

Fowler’s blogpost prompted Uber to commission an investigation of its workplace culture, and led to a public airing of the startup’s considerable dirty laundry. The company had soared to its position as the highest-value startup and dominant ride-hail app by defying rules and regulations, but the post-Fowler reckoning saw at least 20 employees fired and the company acknowledge that it needed to change. It also led to the eventual ousting of Kalanick himself.

Khosrowshahi displayed the new conciliatory style in September when Transport for London decided not to renew its license to operate in London. “We’ve got things wrong along the way,” the CEO said at the time . “On behalf of everyone at Uber globally, I apologise for the mistakes we’ve made.”

Most viewed

  • Generative AI
  • Business Operations
  • IT Leadership
  • Application Security
  • Business Continuity
  • Cloud Security
  • Critical Infrastructure
  • Identity and Access Management
  • Network Security
  • Physical Security
  • Risk Management
  • Security Infrastructure
  • Vulnerabilities
  • Software Development
  • Artificial Intelligence
  • United States
  • United Kingdom
  • Newsletters
  • Foundry Careers
  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Member Preferences
  • About AdChoices
  • E-commerce Links
  • Your California Privacy Rights

Our Network

  • Computerworld
  • Network World

Uber data breach – an insurance case study for directors and officers

When we evaluate the merits of what actually took place, we will see an interesting scenario develop that could directly impact Uber’s board of directors.

Uber headquarters office San Francisco

On November 21, 2017, Uber announced that the personal data of 57 million users were stolen in a breach, including 600,000 drivers in the United States.  Reuters just reported that “ Uber received an email last year from an anonymous person demanding money in exchange for user data and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter. ”

When we evaluate the merits of what actually took place, we will see an interesting scenario develop that could directly impact Uber’s board of directors. So, let us first examine how this breach compares with others. In Figure 1. We see that the raw number of records disseminated is low when we compare against other major breaches.  However, how many of the other breaches exposed both client and employee data?  

According to Uber, the demand for money came in and they forwarded the demand to the team that handles bug bounties (a type of contest many large firms employ to help ensure their cyber risk mitigation strategies are up to par by challenging the hacker community to try and identify a weakness that would garner a cash award – in this case up to $10,000).

The first problem with this theory the underwriters need to consider is that this is not how a bug bounty program “should” work.  The intent is to identify a material weakness, proven with a proof of concept, and then get paid.  If you take your activities to the next level – and actually “steal” information – not only does that violate the law, it generally null and voids the terms and conditions set forth by the bug bounty program itself. But Uber’s program has no such language. Here’s what language is present:

Exposure of User Data:  the ability to access user or employee data without having an authorized relationship from the Victim. In-scope vulnerability class examples: AWS  Identity & Access Management credential exposure resulting in access to driver documents in an S3 bucket. Adding a user to a Partner’s account, without them accepting the invite, resulting in exposure of name, phone number, and trip history. Password reset token exposure, allowing attacker the ability to reset password of victim and login to view sensitive user data. IDOR/authorization vulnerabilities resulting in exposure of personal data. Out-of-scope vulnerability class examples: The ability to determine if a phone number or email has an Uber account, also known as an account oracle. Potential domains to look at: auth.uber.com, partners.uber.com, riders.uber.com, eats.uber.com

There does not appear to me a scenario either in or out of scope that would be consistent with what Uber alleges took place. The ability to access is not the same thing as “exfiltration.”  Even if this is the case, the dollar threshold is exceeded by 10x. So, something is not right here. Was this simply a tactic to downplay the event?

Was this a simple oversight by Uber’s staff when they received the demand?  Was there a corporate policy in place to define what to do in the face of a ransom? Perhaps a subsection of their Incident Response Plan?

If we do some quick math using the infamous IBM and Ponemon statistics, the cost per record is $141.00 each. If we use that metric, we look at over $8 Billion in potential loss.  Do I believe that it will cost them this amount, not likely.

Reading “ Executive Liability for Data Breach Notification Delay? “ by Kevin LaCroix made me think of the potential financial implications to underwriting this cyber event and its linkage with Directors and Officers lines of coverage.

Uber has a fairly new CEO who was not present at the time of the breach as well as a new general counsel, Tony Scott, who was recently quoted as saying:

“I’m not the first to recognize that the company over-indexed on growth without putting in the appropriate guardrails,” he said in an interview Friday. “Fostering a culture of compliance is going to be one of my top priorities.”

Any company with excessive growth can find it hard to scale in areas that generally go unchecked by most businesses.  Such as at what point do I hire a CISO, at what point do I hire additional staff with the following skill sets based on gaps that exist today.  Does this constitute willful or intentional wrongdoing, a negating factor for D&O coverage? In my opinion, no.

However, what was known by Uber and when? Also failing to abide by 48 State Regulatory Agencies (47 at the time of the breach), becomes the discerning factor (or should be) by the insurance carrier(s). 

If Uber submits a claim for damages incurred by the theft of data, are they entitled to do so under a cyber policy? Depends on the following:

  • Was the policy written in a manner that imposes limits of liability when state laws applicable to data breach notification are not met?
  • Is a future claim of damages negated if you fail to use the carrier’s post-breach service providers?
  • Was the insurance application constructed in a manner that took into account the use of a third party, in this case GitHub, and what was Uber’s inherent obligations to protect sensitive software development?
  • Did the underwriters, brokers, or agents even assess the bug bounty program for assertion of potential exclusionary provisions?

Now comes the interesting part.  Since we are a litigious society and there is always an attorney to champion a good cyber breach case, there exists a chance that Board Members could be subject to being swept into this debacle.  Are there factors under a D&O policy that could convert over to negating the cyber policy? 

According to Mackoul and Associates there are 10 scenarios that void a D&O claim.  I draw your attention to the first line item “Breach of Contract”.  The reason for this is that a contractual duty is not a liability imposed by law but rather a voluntarily undertaken obligation. Failure to comply with a signed contract would fall under willful or intentional wrongdoing and would not be covered.

There may exist a claim of breaching the contract by the 600,000 employees. If you go to Uber’s privacy site , you will see how they define their own policy.

For a number of years, the Federal Trade Commission has levied sanctions against companies for either misrepresenting or not adhering to stated privacy policies on corporate websites as an unfair and deceptive business practice.

While this case is still under investigation and more information is sure to surface, can the mere fact that Uber willfully did not advise each State Attorney General as basis for breaching a contract between employer and employee if the employer had a lawful duty to disclose? If the answer is “yes” then this factor alone could negate any top cover a D&O policy may provide

Furthermore, as described by Mackoul, under the header of “Willful or Intentional Wrongdoing”

“A board may still be able to recover a fine resulting from intentional conduct if it can prove that it was only vicariously liable for misconduct but willful or intentional wrongdoing is normally not covered by D&O policies.”

Was this incident made aware to the board prior to public disclosure? If yes, what actions did they take to ensure State laws were met? If they did nothing and failed to meet the standard of care, does that constitute willful or intentional wrongdoing?  Did they even know about these requirements and if not, is ignorance of the law an excuse to vacate a guilty decision from being rendered? Short answer after over 1,000 hours in a courtroom, “no.”

Related content

Insuring uncle sam’s cyber risk, underwriting cyber exposure – the business case for certifying, training insurance agents and brokers in cyber risk, cyber insurance in the 2018 regulatory landscape, from our editors straight to your inbox.

Carter Schoenberg is the President and Chief Executive Officer of HEMISPHERE Cyber Risk Management, Inc. Mr. Schoenberg is a certified information system security professional with over 23 years of combined experience in criminal investigations, cyber threat intelligence, cyber security, risk management and cyber law. He is a cybersecurity subject matter expert supporting government and commercial markets to better define how to evaluate a risk profile and defining criteria for brokers and carriers to utilize in their determination on coverage and premium analysis.

HEMISPHERE is working with insurance stakeholders to define appropriate standards and training of brokers and agents in determining coverage requirements, scheduled for release later in 2017. HEMISPHERE is also working with the National Association of Insurance Commissioner’s Cyber Task Force.

Mr. Schoenberg’s expertise has been featured at many events and his background and knowledge in the Latin American markets, specifically in Panama’, has provided him with a unique and detailed view of this market segment.

Mr. Schoenberg is responsible for designing practical solutions to address cyber risk management using his proprietary cost-benefit analysis enabling system owners to make mission and cost justified decisions on cyber risk. Starting his career in law enforcement as a homicide detective, his work products have been actively used by DHS, the ISAC communities, and the Georgia Bar Association for Continuing Learning Educational (CLE) credits on the topic of cybersecurity risk and liability. His expertise is profiled at conferences including ISC2, SecureWorld Expo, ISSA and InfosecWorld.

The opinions expressed in this blog are those of Carter Schoenberg and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

Most popular authors

case study uber announces new data breach

  • Cynthia Brumfield Contributing Writer

case study uber announces new data breach

Show me more

Microsoft outlook flaw opens door to 1-click remote code execution attacks.

Image

Lawmakers see power grid security risks from Chinese storage batteries

Image

Google launches a slew of AI initiatives to enhance cybersecurity

Image

CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison

Image

CSO Executive Sessions Australia with Robbie Whittome, CISO at Curtin University

Image

CSO Executive Sessions / ASEAN: Cisco's Anthony Grieco on opportunities in Southeast Asia's cybersecurity landscape

Image

Reaping the Benefits of Security Metrics

Image

Don’t Lose Your Focus: It’s Not About the AI; It’s About the Data

Image

Preventing the Cracks from Becoming a Hole that Becomes a Crater

Image

Sponsored Links

  • Read this IDC spotlight to learn what commonly prevents value realization – and how to solve it
  • Want to justify your IT investments faster? IDC reports on how to measure business impact.
  • Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.
  • Security News
  • Cybercrime & Digital Threats

Uber Breach Exposes the Data of 57 Million Drivers and Users

case study uber announces new data breach

Uber CEO Dara Khosrowshahi acknowledged the existence of the hack in a statement published on their website , stating that in 2016, two outsiders gained access to user data that was stored on a third-party cloud-based service used by the company. The trove of stolen information included the names and driver’s license numbers of 600,000 Uber drivers, but Khosrowshahi clarified that the company’s corporate infrastructure and systems were not affected.

The hackers were able to gain access to the information after developers working for the company uploaded code to the repository website Github. Unfortunately, this code also contained credentials that the hackers used to log into special accounts on Uber’s network containing the sensitive data, which was hosted on Amazon Web Service (AWS) servers.

According to reports , the incident was further complicated when Uber paid the hackers $100,000 to delete the data and prevent the breach from being disclosed publicly. According to insiders , the company also made the hackers sign nondisclosure agreements as part of the deal, making it appear as part of a bug bounty program that involves paying off “bug hunters” for hacking into their system to check for security flaws. In their statement, Uber also mentioned that two individuals who were part of the initial response back in 2016 were fired from the company.

Immediately after the breach, the company took steps to secure the data and prevent further unauthorized access by the individuals. Uber also implemented security measures on their cloud-based storage accounts intended to restrict access and strengthen controls. The drivers whose credentials were compromised were notified and provided with free credit monitoring and identity theft protection.

Insights from the Uber breach

Not only is this latest incident one in a long line of recent data breaches, but it is also not the first one to involve the highly popular ridesharing company—back in April 2016, a series of “phantom trips” occurred after stolen Uber accounts were peddled in the underground.  Just a few days ago, a similar incident involved drone manufacturer DJI , which was also the subject of a data breach involving Github repositories.

For organizations, there are many lessons to be learned from this incident, starting with the proper configuration of public cloud storage, as well as increased emphasis on its security.

In Uber’s case, the error was compounded by the exposure of sensitive credentials, which could have easily been avoided by putting more care into what goes into these repositories. In addition, adherence to the shared responsibility model for cloud services can create a highly secure environment that can make it difficult for attackers to access sensitive information.

In addition, paying off threat actors does not make the problem “go away,” as it does not guarantee that the data will be deleted or that public disclosure can be avoided. In fact, it will likely complicate things even more, as payment and non-disclosure can be used to fund future attacks. It can also be construed as a violation of regulations depending on the circumstance. It can also hurt a company’s reputation, as well as damage the trust between the company and its customers and partners. It is reasonable to assume that, in most data breach cases, the personal information acquired by the attackers will be sold in the underground.

Customers should always be aware of the potential compromises applications could have on their privacy . Many users download apps without being aware that these could actually be gathering personal information that could be exposed in the event of a data breach. For users whose privacy is non-negotiable, looking for “opt-out” clauses or even choosing alternative apps would be better choices. 

While Uber initially made mistakes with how they handled the incident, the company is now taking the right steps to address the breach by placing greater emphasis on securing their cloud storage and repositories. While the incident cannot be reversed, creating comprehensive contingency measures and mobility plans can help mitigate the impact of data breaches.

Organizations that rely heavily on cloud storage can look into the use of multilayered solutions such as  Trend Micro™ Hybrid Cloud Security , which delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads.

Like it? Add this infographic to your site: 1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Related Posts

  • Building Resilience: 2024 Security Predictions for the Cloud
  • Threat Modeling API Gateways: A New Target for Threat Actors?
  • Trend Micro Security Predictions for 2024: Critical Scalability
  • Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
  • Exploring Potential Security Challenges in Microsoft Azure

Recent Posts

  • Enhancing Software Supply-Chain Security: Navigating SLSA Standards and the MITRE ATT&CK Framework
  • Post-Quantum Cryptography: Quantum Computing Attacks on Classical Cryptography
  • Diving Deep Into Quantum Computing: Computing With Quantum Mechanics
  • Distributed Energy Generation Gateway (In)Security

We Recommend

  • Internet of Things
  • Virtualization & Cloud
  • Securing Home Routers

case study uber announces new data breach

  • Addressing CAPTCHA-Evading Phishing Threats With Behavior-Based AI Protection
  • A Deep Dive into the Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Networks

Building Resilience: 2024 Security Predictions for the Cloud

  • Ransomware Spotlight: Trigona
  • Ransomware Spotlight: Akira

Alexa and Google Home Devices can be Abused to Phish and Eavesdrop on Users, Research Finds

  • Mirai Variant Spotted Using Multiple Exploits, Targets Various Routers
  • A Look Into the Most Noteworthy Home Network Security Threats of 2017
  • Pre-Markets
  • U.S. Markets
  • Cryptocurrency
  • Futures & Commodities
  • Funds & ETFs
  • Health & Science
  • Real Estate
  • Transportation
  • Industrials

Small Business

Personal Finance

  • Financial Advisors
  • Options Action
  • Buffett Archive
  • Trader Talk
  • Cybersecurity
  • Social Media
  • CNBC Disruptor 50
  • White House
  • Equity and Opportunity
  • Business Day Shows
  • Entertainment Shows
  • Full Episodes
  • Latest Video
  • CEO Interviews
  • CNBC Documentaries
  • CNBC Podcasts
  • Digital Originals
  • Live TV Schedule
  • Trust Portfolio
  • Trade Alerts
  • Meeting Videos
  • Homestretch
  • Jim's Columns
  • Stock Screener
  • Market Forecast
  • Options Investing
  • Chart Investing

Credit Cards

Credit Monitoring

Help for Low Credit Scores

All Credit Cards

Find the Credit Card for You

Best Credit Cards

Best Rewards Credit Cards

Best Travel Credit Cards

Best 0% APR Credit Cards

Best Balance Transfer Credit Cards

Best Cash Back Credit Cards

Best Credit Card Welcome Bonuses

Best Credit Cards to Build Credit

Find the Best Personal Loan for You

Best Personal Loans

Best Debt Consolidation Loans

Best Loans to Refinance Credit Card Debt

Best Loans with Fast Funding

Best Small Personal Loans

Best Large Personal Loans

Best Personal Loans to Apply Online

Best Student Loan Refinance

All Banking

Find the Savings Account for You

Best High Yield Savings Accounts

Best Big Bank Savings Accounts

Best Big Bank Checking Accounts

Best No Fee Checking Accounts

No Overdraft Fee Checking Accounts

Best Checking Account Bonuses

Best Money Market Accounts

Best Credit Unions

All Mortgages

Best Mortgages

Best Mortgages for Small Down Payment

Best Mortgages for No Down Payment

Best Mortgages with No Origination Fee

Best Mortgages for Average Credit Score

Adjustable Rate Mortgages

Affording a Mortgage

All Insurance

Best Life Insurance

Best Homeowners Insurance

Best Renters Insurance

Best Car Insurance

Travel Insurance

All Credit Monitoring

Best Credit Monitoring Services

Best Identity Theft Protection

How to Boost Your Credit Score

Credit Repair Services

All Personal Finance

Best Budgeting Apps

Best Expense Tracker Apps

Best Money Transfer Apps

Best Resale Apps and Sites

Buy Now Pay Later (BNPL) Apps

Best Debt Relief

All Small Business

Best Small Business Savings Accounts

Best Small Business Checking Accounts

Best Credit Cards for Small Business

Best Small Business Loans

Best Tax Software for Small Business

Filing For Free

Best Tax Software

Best Tax Software for Small Businesses

Tax Refunds

Tax Brackets

Tax By State

Tax Payment Plans

All Help for Low Credit Scores

Best Credit Cards for Bad Credit

Best Personal Loans for Bad Credit

Best Debt Consolidation Loans for Bad Credit

Personal Loans if You Don't Have Credit

Best Credit Cards for Building Credit

Personal Loans for 580 Credit Score or Lower

Personal Loans for 670 Credit Score or Lower

Best Mortgages for Bad Credit

Best Hardship Loans

All Investing

Best IRA Accounts

Best Roth IRA Accounts

Best Investing Apps

Best Free Stock Trading Platforms

Best Robo-Advisors

Index Funds

Mutual Funds

Uber hid a hack that exposed data of 57 million users and drivers for more than a year

thumbnail

  • Hackers stole data from 57 million Uber users and drivers in 2016.
  • The hackers stole names and driver's license numbers of around 600,000 drivers in the U.S., as well as rider names, email addresses and mobile phone numbers.
  • The company paid hackers $100,000 to delete the data and keep the breach quiet, and did not report the breach.

Uber hid cyberattack exposing 57 million people's data: Reports

Hackers stole data from 57 million Uber users and drivers, a breach that the company concealed for more than a year.

Uber released a statement on the 2016 attack and published resources for riders and drivers . According to the statement, the hack was performed by two people on a third-party cloud service.

The statement said the hackers stole personal information from 57 million Uber users around the world, including names and driver's license numbers of around 600,000 drivers in the U.S., rider names, email addresses and mobile phone numbers.

Location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth do not appear to have been stolen, Uber said. Affected drivers will get free credit monitoring and identity theft protection.

"None of this should have happened, and I will not make excuses for it," CEO Dara Khosrowshahi said in the statement. Khosrowshahi was not with the company at the time of the hack attack, having joined as CEO just this fall.

Uber paid hackers $100K to delete data and stay quiet

The company paid hackers $100,000 to delete the data and keep the breach quiet, and did not report the incident. The ride-hailing company said it has fired chief security officer Joe Sullivan — previously security boss at Facebook — for his role in hiding the data breach.

"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures," Uber said in a statement. It did not address the payment.

New York Attorney General Eric Schneiderman launched an investigation into the hack, according to press secretary Amy Spitalnick.

Earlier this year, Uber agreed to 20 years of privacy audits after the FTC said the ride-hailing service had "failed consumers" after a 2014 data breach .

In that case, the FTC said: "Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data."

The data breaches, while small in comparison to Yahoo's 3 billion-account cyberattack, is the latest of several missteps within the ride-hailing giant. The company has fielded scrutiny over allegations of sexual harassment and workplace misconduct, has lost numerous executives amid dissent within the board of directors, and has sparred with regulators from London to Singapore.

Former CEO Travis Kalanick knew about the 2016 hack.

"You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it," Khosrowshahi said of the breach.

Bloomberg and The New York Times previously reported details of the data breach.

— CNBC's Paayal Zaveri contributed to this report.

WATCH: Data stolen from Uber drivers and passengers

Data stolen from both Uber drivers and passengers in recent cyber hack

  • Election 2024
  • Entertainment
  • Newsletters
  • Photography
  • Press Releases
  • Israel-Hamas War
  • Russia-Ukraine War
  • Latin America
  • Middle East
  • Asia Pacific
  • AP Top 25 College Football Poll
  • Movie reviews
  • Book reviews
  • Financial Markets
  • Business Highlights
  • Financial wellness
  • Artificial Intelligence
  • Social Media

Uber agrees to $148M settlement with states over data breach

case study uber announces new data breach

California Attorney General Xavier Becerra, left, and San Francisco District Attorney George Gascon, right, listen to questions about a settlement with Uber over a data breach during a news conference Wednesday, Sept. 26, 2018, in San Francisco. Uber will pay $148 million and tighten data security after the ride-hailing company failed for a year to notify drivers that hackers had stolen their personal information, according to a settlement announced Wednesday. (AP Photo/Eric Risberg)

California Attorney General Xavier Becerra, left, and San Francisco District Attorney George Gascon, right, talk about a settlement with Uber over a data breach during a news conference Wednesday, Sept. 26, 2018, in San Francisco. Uber will pay $148 million and tighten data security after the ride-hailing company failed for a year to notify drivers that hackers had stolen their personal information, according to a settlement announced Wednesday. (AP Photo/Eric Risberg)

FILE - In this March 15, 2017, file photo, a Uber car drives through LaGuardia Airport in New York. New Mexico Attorney General Hector Balderas says the state will receive approximately $760,000 under a $148 million nationwide settlement between 50 states and Uber. The settlement announced Wednesday, Sept. 26, 2018, by Illinois Attorney General Lisa Madigan stems from the ride-hailing company’s yearlong delay in reporting a data breach to its affected drivers about the theft of their personal information. The states sued Uber, saying the company violated laws requiring it to promptly notify people affected by the breach. (AP Photo/Seth Wenig, File)

FILE - This March 20, 2018, file photo shows the Uber app on an iPad in Baltimore. Uber has agreed to pay $148 million and take steps to tighten data security, after the ride-hailing company failed for a year to notify drivers that hackers had stolen their personal information. (AP Photo/Patrick Semansky, File)

ARCHIVO - Esta foto del 20 de marzo del 2018 muestra el app de Uber en un iPad en Baltimore. Uber acordó pagar 148 millones de dolares y dar pasos para fortalecer su proteccion de información luego que la compañía durante un año no les notificó a sus choferes que hackers se habian robado sus datos personales. (AP Foto/Patrick Semansky)

  • Copy Link copied

CHICAGO (AP) — Uber will pay $148 million and tighten data security after the ride-hailing company failed for a year to notify drivers that hackers had stolen their personal information, according to a settlement announced Wednesday.

Uber Technologies Inc. reached the agreement with all 50 states and the District of Columbia after a massive data breach in 2016. Instead of reporting it, Uber hid evidence of the theft and paid ransom to ensure the data wouldn’t be misused.

“This is one of the most egregious cases we’ve ever seen in terms of notification; a yearlong delay is just inexcusable,” Illinois Attorney General Lisa Madigan told The Associated Press. “And we’re not going to put up with companies, Uber or any other company, completely ignoring our laws that require notification of data breaches.”

Uber, whose GPS-tracked drivers pick up riders who summon them from cellphone apps, learned in November 2016 that hackers had accessed personal data, including driver’s license information, for roughly 600,000 Uber drivers in the U.S. The company acknowledged the breach in November 2017, saying it paid $100,000 in ransom for the stolen information to be destroyed.

The hack also took the names, email addresses and cellphone numbers of 57 million riders around the world. After significant management changes in the past year, Tony West, Uber’s chief legal officer, said the decision by current managers was “the right thing to do.”

“It embodies the principles by which we are running our business today: transparency, integrity, and accountability,” West said. “An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward.”

The settlement requires Uber to comply with state consumer protection laws safeguarding personal information and to immediately notify authorities in case of a breach; to establish methods to protect user data stored on third-party platforms and create strong password-protection policies. The company also will hire an outside firm to conduct an assessment of Uber’s data security and implement its recommendations.

West said the commitments in the settlement coincide with physical and digital safety improvements the company recently announced. Uber hired a longtime in-house counsel for intel as chief its privacy officer and selected a former general counsel to the National Security Agency and director of the National Counterterrorism Center as the company’s chief trust and security officer.

The settlement payout will be divided among the states based on the number of drivers each has. Illinois’ share is $8.5 million, said Madigan, who plans to provide $100 to each affected Uber driver in Illinois. The payout was similar to what several other states had estimated.

O’Connor reported from Springfield, Illinois. AP Technology Writer Michael Liedtke contributed from San Francisco.

case study uber announces new data breach

We've detected unusual activity from your computer network

To continue, please click the box below to let us know you're not a robot.

Why did this happen?

Please make sure your browser supports JavaScript and cookies and that you are not blocking them from loading. For more information you can review our Terms of Service and Cookie Policy .

For inquiries related to this message please contact our support team and provide the reference ID below.

Uber hits record high after unveiling first-ever $7 bln share buyback

Logo of Uber is seen at a temporary showroom during the World Economic Forum in Davos

Reporting by Yuvraj Malik and Samrhitha Arunasalam in Bengaluru; Editing by Shounak Dasgupta

Our Standards: The Thomson Reuters Trust Principles. , opens new tab

The Amazon logo at the company's logistics centre in Lauwin-Planque

Honduras watchdog bans institutions from trading crypto

Honduras' CNBS regulator has banned the Central American country's financial system from trading in cryptocurrency and similar virtual assets, it said in a resolution, citing risks of fraud and money laundering.

United Nations Secretary-General Antonio Guterres speaks in Kampala, Uganda

IMAGES

  1. case study uber announces new data breach

    case study uber announces new data breach

  2. The Uber data breach cover-up: A timeline of events

    case study uber announces new data breach

  3. Uber Data Breach 2022: Uber Cyber Attack 2022

    case study uber announces new data breach

  4. Uber Settles Data Breach Investigation for $148 Million

    case study uber announces new data breach

  5. Executive Responsibilities and Consequences: A Case Study of Uber’s

    case study uber announces new data breach

  6. Uber's concealed data breach affects 57 million users

    case study uber announces new data breach

COMMENTS

  1. Uber Investigating Breach of Its Computer Systems

    Sept. 15, 2022 Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it...

  2. Uber Hack Update: Was Sensitive User Data Stolen & Did 2FA ...

    Uber confirms incident and says no evidence of sensitive user data exposure. Uber/Twitter. This confirms that the investigation and response efforts continue and states that Uber has "no evidence ...

  3. What Caused the Uber Data Breach in 2022?

    updated Mar 02, 2023 Download the PDF guide Free trial The Uber data breach began with a hacker purchasing stolen credentials belonging to an Uber employee from a dark web marketplace. An initial attempt to connect to Uber's network with these credentials failed because the account was protected with MFA.

  4. Uber responding to 'cybersecurity incident' after hack

    First published on Thu 15 Sep 2022 22.26 EDT. Uber has been hacked in an attack that appears to have breached the ride-hailing company's internal systems. The California-based company confirmed ...

  5. Executive Responsibilities and Consequences: A Case Study of Uber's

    On August 19, 2020, the former Chief Security Officer (CSO) for Uber Technologies Inc. (Uber) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million riders and drivers.

  6. Uber Users: What You Need to Know about Last Month's Data Breach

    October 11, 2022 4 Lindsay Shachnow (COM'25) Last month, the internal databases of American multinational ride-share company Uber were hacked. The unnamed 18-year-old who claimed responsibility for the hack said Uber's ineffective security measures made the breach possible.

  7. Uber investigating cybersecurity incident; hacker breaches internal

    Uber confirmed on Thursday that it's responding to a cybersecurity incident after reports claimed a hacker had breached its internal network. The ride-hailing giant discovered the breach on ...

  8. Jury finds former Uber security chief guilty of concealing data breach

    The case pertains to a breach at Uber's systems that affected data of 57 million passengers and drivers. The company did not disclose the incident for a year.

  9. Uber Hid 57-Million User Data Breach For Over a Year

    Nov 21, 2017 7:56 PM Hack Brief: Uber Paid Off Hackers to Hide a 57-Million User Data Breach The ridesharing service's latest scandal combines routine security negligence with an "appalling"...

  10. The Uber data breach cover-up: A timeline of events

    The objective, according to the criminal complaint against Sullivan, was to conceal the 2016 Uber breach from both the public and the U.S. Federal Trade Commission (FTC), which was investigating Uber over an earlier data breach. The Uber data breach cover-up and the case against Sullivan feature numerous important dates and developments ...

  11. Uber Data Breach Affects 57 Million Rider and Driver Accounts

    3 Minutes Uber Data Breach Affects 57 Million Rider and Driver Accounts SS Steve Symanovich Staff writer Uber Technologies, Inc. disclosed that hackers stole the personal information of some 57 million customers and drivers from the ride-sharing company, according to a report by Bloomberg News.

  12. The Uber Breach Story: On how security woes can lead to a ...

    To top it all, on August 20, 2020, a criminal complaint was filed charging Joseph Sullivan, Uber's former chief security officer, with obstruction of justice and misprision of a felony in...

  13. Uber concealed massive hack that exposed data of 57m users and drivers

    Wed 22 Nov 2017 06.16 EST Uber concealed a massive global breach of the personal information of 57 million customers and drivers in October 2016, failing to notify the individuals and...

  14. Uber data breach

    On November 21, 2017, Uber announced that the personal data of 57 million users were stolen in a breach, including 600,000 drivers in the United States. Reuters just reported that " Uber ...

  15. Uber Breach Exposes the Data of 57 Million Drivers and Users

    November 22, 2017 In a highly publicized data breach incident, rideshare application Uber announced that the personal information of 57 million customers and drivers were potentially compromised in October 2016, which was complicated by their failure to notify legal authorities and regulators.

  16. Uber hack exposes data of 57 million users and drivers, report says

    Hackers stole data from 57 million Uber users and drivers, a breach that the company concealed for more than a year. Uber released a statement on the 2016 attack and published resources for...

  17. Uber agrees to $148M settlement with states over data breach

    New Mexico Attorney General Hector Balderas says the state will receive approximately $760,000 under a $148 million nationwide settlement between 50 states and Uber. The settlement announced Wednesday, Sept. 26, 2018, by Illinois Attorney General Lisa Madigan stems from the ride-hailing company's yearlong delay in reporting a data breach to ...

  18. Applied Business Tools

    According to Bloomberg News, Uber Technologies Incorporated disclosed that hackers obtained the personal information of around 57 million riders and drivers.

  19. Answered: CASE STUDY #1: Uber Announces New Data…

    Computer Science CASE STUDY #1: Uber Announces New Data Breach Affecting 57 Million Riders and Drivers Ridesharing company Uber Technologies, Inc. has disclosed that hackers have stolen the personal information of about 57 million customers and drivers, according to a report by Bloomberg News.

  20. CASE STUDY #1: Uber Announces New Data Breach...

    Doc Preview BSTM BSTM 601 CASE STUDY #1: Uber Announces New Data Breach Affecting 57 million Riders and Drivers A. What is the write-up all about? What technology-related issue/s is/are apparent? The write-up talks about the issue that happened in Uber Technologies, Inc. in the late 2016.

  21. Applied Case Study.docx

    Case Study: Uber Announces New Data Breach Affecting 57 Million Riders and Drivers. Sanchez, Jeff Andre D. BSTM 3.1A INTRODUCTION When an organizational crisis occurs, management must navigate the tumultuous times by making appropriate business and ethical decisions while often only having a limited amount of information.

  22. Answered: CASE STUDY #1: Uber Announces New Data…

    Engineering Computer Science CASE STUDY #1: Uber Announces New Data Breach Affecting 57 Million Riders and Driversd Ride sharing company Uber Technologies, Inc. has disclosed that hackers have stolen the personal information of about 57 million customers and drivers, according to a report by Bloomberg News.

  23. CASE STUDY #1 -WPS Office.docx

    CASE STUDY #1: Uber Announces New Data Breach Affecting 57 Million Riders and Drivers Study Questions: A. What is the write-up all about? What technology-related issue/s is/are apparent? The write-up is all about Uber as the victim of a data breach affecting the data of 57 million drivers and riders.

  24. Prudential Says Hackers Gained Access to Its Computer Systems

    The Circuit. Hosted by high-profile journalist Emily Chang, The Circuit is a fast-paced, dynamic series that lives at the intersection of culture, tech, entertainment, and business.

  25. Uber hits record high after unveiling first-ever $7 bln share buyback

    Feb 14 (Reuters) - Uber Technologies (UBER.N), opens new tab shot to a record high on Wednesday after announcing its first-ever buyback of $7 billion worth of company shares after a strong ...