Uber CEO Dara Khosrowshahi posted a blog yesterday saying hackers downloaded the names and driver’s license numbers of around 600,000 drivers in the United States — and some personal information of 57 million Uber users around the world.
The data theft, which occurred a year ago, included names, email addresses and mobile phone numbers, according to Khosrowshahi.
The Associated Press released a story, which appeared in Newsday today, saying Uber paid a $100,000 bribe to the hackers in order to ensure the stolen data was destroyed.
It’s hard to know what’s most troubling about this news:
The fact Uber concealed the hack for a year.
That Uber forked over a hundred-grand to cyber thieves.
Or that they actually believed the hackers would destroy the stolen data.
How could Uber believe the hackers and pay the bribe?
To those three points, the cybersecurity community will surely want to know:
What are the consequences of hiding a hack of this magnitude from law enforcement and the riders?
How could any business or IT executive believe hackers would be true to their word and destroy stolen data? Especially when that data could fetch even more money on the dark web.
What CFO in their right mind — no matter what their CEO or anyone else said — would cut a check for $100,000 to cyber criminals?
Regardless of which of the three indiscretions is the worst, taken together this behavior is exactly what motivates hackers and drives up the cyber crime rate.
Uber has sent a message to the black hats, saying — “We’re scared of you, we’ll pay up if you take our data hostage, and we won’t tell anyone.”
Uber’s new CEO deserves credit for bringing the hack out in the open and taking action. Khosrowshahi’s blog post says he’s asked Matt Olson to help him think through Uber’s security going forward. Olson is a lecturer on law at Harvard Law School, and he has an extensive cybersecurity background.
The reputational harm in connection with a hack of this magnitude — and Uber’s improper response to it — can tally up to a seven- or even eight-figure number. Khosrowshahi would be wise to hire a PR firm. Major hack news lingers for months or even years. With a $100,000 bribe involved, there’s no telling how long this one will be in the headlines.
Visit SteveOnCyber.com to read all of my blogs and articles covering cybersecurity.
Follow me on Twitter @CybersecuritySF, or connect with me on LinkedIn. Send story tips, feedback and suggestions to me here.