Uber concealed massive hack that exposed data of 57m drivers and users
SAN FRANCISCO (AP) — Uber reveló el martes que mantuvo en secreto durante un año un hackeo en el que se robó la información personal de más 57 millones de clientes y conductores de la asediada compañía de transporte.
A la fecha no hay evidencia de que la información robada haya sido utilizada indebidamente, escribió el martes en un blog el nuevo director general de Uber, Dara Khosrowshahi. Parte de los motivos de que no haya pasado nada malo es porque Uber reconoce que pagó 100.000 dólares a los hackers para destruir la información.
La revelación constituye la más reciente mancha en la reputación de Uber.
La compañía con sede en San Francisco despidió en junio a Travis Kalanick como director general después de que una pesquisa interna llegó a la conclusión de que fomentó una cultura que permitía el acoso sexual contra las empleadas y alentaba a los empleados a obrar al filo de lo legal.
También se trata del más reciente robo de información que involucra a una prominente compañía que no avisó a las personas que podrían resultar afectadas, al mantener el silencio durante meses e incluso años.
Yahoo reveló por primera vez hasta septiembre de 2016 sobre hackeos que afectaron a 3.000 millones de cuentas de usuarios durante 2013 y 2014. El servicio de buró de crédito Equifax esperó varios meses para revelar en septiembre que los hackers habían robado los números de Seguro Social de 145 millones de estadounidenses.
En su blog, Khosrowshahi censuró la manera como Uber manejó el robo de la información.
“Aunque no puedo borrar el pasado, puedo comprometerme a nombre de cada empleado de Uber que aprenderemos de nuestros errores”, escribió el ejecutivo. “Estamos cambiando la manera como funcionamos, poniendo la integridad al centro de cada decisión que hagamos y trabajando arduamente para ganarnos la confianza de nuestros clientes”.
Ese compromiso no debe ser una excusa frente al anterior régimen de conducta indignante de Uber, dijo Sam Curry, director jefe de seguridad de la firma de seguridad digital Cybereason.
“Lo verdaderamente tenebroso aquí es que Uber pagó un soborno, esencialmente un rescate para desaparecer la información robada y actuó como si estuvieran por encima de la ley”, señaló Curry. “Esas personas responsables de la integridad y confidencialidad de la información de hecho encubrieron el asunto”.
El robo de la información implicó los nombres y correos electrónicos de 57 millones de usuarios en el mundo. Los ladrones también se llevaron los números de las licencias de 600.000 conductores de Uber en Estados Unidos.
Uber concealed massive hack that exposed data of 57m drivers and users
Uber concealed a massive global breach of the personal information of 57 million customers and drivers in October 2016, failing to notify the individuals and regulators, the company acknowledged on Tuesday.
Uber also confirmed it had paid the hackers responsible $100,000 to delete the data and keep the breach quiet, which was first reported by Bloomberg.
“None of this should have happened, and I will not make excuses for it,” Uber chief executive Dara Khosrowshahi said in a statement acknowledging the breach and cover-up. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Hackers stole personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States. The company said more sensitive information, such as location data, credit card numbers, bank account numbers, social security numbers, and birth dates, had not been compromised.
In his statement, Khosrowshahi said the company had “obtained assurances that the downloaded data had been destroyed” and improved its security, but that the company’s “failure to notify affected individuals or regulators” had prompted him to take several steps, including the departure of two of the employees responsible for the company’s 2016 response.
Uber chief security officer Joe Sullivan was one of the two employees who left the company, Bloomberg reported.
The company’s failure to disclose the breach was “amateur hour”, said Chris Hoofnagle of the Berkeley Center for Law and Technology. “The only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach.”
Under California state law, for example, companies are required to notify state residents of any breach of unencrypted personal information, and must inform the attorney general if more than 500 residents are affected by a single breach.
“The hack and the cover up is typical Uber only caring about themselves,” said Robert Judge, an Uber driver in Pittsburgh, who said he had yet to receive any communication from the company. “I found out through the media. Uber doesn’t get out in front of things, they hide them.”
Uber said in a statement to drivers that it would offer those affected free credit monitoring and identity theft protection.
According to Bloomberg, the breach occured when two hackers obtained login credentials to access data stored on Uber’s Amazon Web Services account. Paul Lipman, CEO of cybersecurity firm BullGuard, said that holding that the fact that the data was being stored unencrypted was “unforgivable”.
The New York state attorney general’s office has opened an investigation into the data breach, a spokeswoman confirmed.
Uber’s potential civil liability from the breach is complicated by the fact that the United States’ various federal appellate courts are divided over how to treat data breach lawsuits. Some courts allow individuals to join class action lawsuits if they are simply at greater risk of having their identities stolen due to a breach, while other courts require plaintiffs to show that their personal information has actually been misused.
In June, health insurer Anthem settled litigation over a 2015 breach affecting 79 million people for a record $115m.
“Non-disclosure creates a practical risk in the hundreds of millions,” said Hoofnagle, who noted that companies can pay third parties to handle the fallout from a security breach – including notifications – for fees in the tens of millions. “Here’s the good news: drivers will finally squeeze money out of Uber.”
The hack and subsequent concealment is just the latest in a string of scandals and crises that Khosrowshahi inherited from his predecessor, Travis Kalanick, who was forced out of the $68bn startup in June.
The year started out with the trend-setting #DeleteUber viral boycott campaign, which arose after the company was accused of exploiting a New York taxi drivers’ work stoppage to protest Trump’s travel ban.
Then in February, former employee Susan Fowler published a blog post alleging a pervasive culture of gender discrimination and sexual harassment at the company.
The next month saw a New York Times report that for years Uber had been running a secret program to systematically deceive law enforcement officials in cities where its service violated regulations. Officials attempting to hail an Uber during a sting operation were “greyballed”; they might see icons of cars within the app navigating nearby, but no one would come pick them up.
Fowler’s blog post prompted Uber to commission an investigation of its workplace culture, and led to a public airing of the startup’s considerable dirty laundry. The company had skyrocketed to its position as the highest-value startup and dominant ride-hail app by defying rules and regulations, but the post-Fowler reckoning saw at least 20 employees fired and the company acknowledge that it needed to change. It also led to the eventual ousting of Kalanick himself.
Khosrowshahi displayed the new conciliatory style in September when Transport for London decided not to renew its license to operate in London. “We’ve got things wrong along the way,” the CEO said at the time. “On behalf of everyone at Uber globally, I apologise for the mistakes we’ve made.”