By Richard Arneson
In just nine (9) short years, ridesharing company Uber has risen from a small, San Francisco-based startup to a highly disruptive, $6.5 billion juggernaut that, along with its competitor Lyft, has given over 2 million people with a car and spare time on their hands the opportunity to earn a little extra cash while shuttling riders around their fair city. But with precipitous growth often comes pain. In Uber’s case, the pain comes in the form of a FTC-mandated $148 million settlement payment resulting from the 2016 decision to cover up a security breach by co-founder and erstwhile CEO Travis Kalanick.
It’s unclear whether Kalanick knew about the plan ahead of time, but, regardless, Uber addressed the data breach that exposed the names and driver’s license numbers of over six hundred thousand (600,000) drivers and another fifty-five million (55,000,000) riders in an odd way. They hired a hacker.
In 2016, attackers accessed Github, a site utilized by software engineers, to somehow obtain Uber’s credentials for their AWS account. Once in, the intruders secured unencrypted information about their drivers and riders, including email addresses, phone numbers and driver’s licenses. But this wasn’t Uber’s first security breach rodeo. Two (2) years earlier, in 2014, a similar breach resulted in FTC-mandated sanctions. It’s believed that the 2014 incident is what led several at Uber to decide that handling the latest breach on its own, without public disclosure, sounded like a good plan. It wasn’t. And it’s why they had to write the $148,000,000.00 check made payable to the FTC.
The Uber Bug Bounty Program
Forty-eight (48) states have some type of legislation that requires companies to reveal to consumers that a data breach has occurred. While Uber eventually got around to telling the public, they did so after first trying to repair the damage with this, their half-baked plan—they paid a hacker $100,000 through Uber’s bug bounty program, which rewards any hacker who discovers and discloses software flaws. Oh, boy.
In this case, the hacker-for-hire’s job was to delete the affected data, sign a nondisclosure agreement to keep mum, and collect a cool hundred grand. The incident wasn’t reported until a year later by new CEO Dara Khosrowshahi, who declared the handling of the incident a failure, then fired two (2) employees who had signed off on the $100k payment.
After an investigation by state attorneys general determined that Uber had violated data breach notification laws, the FTC then conducted their investigation, which concluded in April of this year.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct,” said acting FTC chairman Maureen Ohlhausen. She announced that this new agreement with Uber is “designed to ensure that Uber does not engage in similar misconduct in the future.”
As a result of the FTC’s investigation, Uber will have to submit to regular privacy audits for the next twenty (20) years. And if they fail to notify the FTC of any security breaches in the future, or if they engage in or provide misleading information about how they monitor access to consumers’ personal information, they could face significant civil penalties, ones that’ll make $148 million look like the change you find between the sofa cushions.
Got questions? Call on the Security experts
To find out more about the many threats that may soon target, or are currently targeting, your organization, contact GDT’s tenured and talented security analysts at SOC@GDT.com. From their Security- and Network Operations Centers, they manage, monitor and protect the networks of some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.
Read more about network security here: