Despite how useful and revolutionary Uber may have been to the world of taxis, the company turned out to have a rotten core under its shiny shell. Not only Uber was involved in other privacy-related blunders already, recent news revealed that the world’s leading taxi app paid hackers $100,000 to hide a cyber attack that took place in October 2016. To make things even worse, Uber also tracked down the two hackers, forcing them to sign nondisclosure agreements and to delete all the compromised data. This alone is a serious violation of the Federal Trade Commission (FTC) law that forbids companies from destroying forensic evidence during an investigation. Additionally, the case has led to some changes in Uber’s board, including the sacking of the CEO and the chief security officer (CSO).
And if that’s not enough, according to Bloomberg’s report, the San Francisco-based company also has other open cases in the U.S. for “possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property”.
Being Driven to Dark Alleys
Focusing on the case involving the cyber attacks, 50 million real names, email addresses and phone numbers were stolen by hackers, alongside seven million drivers’ IDs and license numbers – 600,000 of which in the U.S. alone. Seeing such a shocking number it’s a miracle that Social Security numbers, credit card information or details about trip locations were not taken – at least according to Uber.
However, the severity of the hacking is more than enough to make even the most loyal of customers raise an eyebrow, especially considering how poorly the company handles clients’ privacy. In fact, this is not the first case where customer data is compromised: in 2014 there was a major hack resulting in the exposure of around 50,000 American drivers’ data – and Uber got off with a $20,000 fine, which was clearly not enough to turn on the little red light in the company’s board. And who doesn’t remember the God View case – which also occurred in 2014 – when certain journalists and celebrities were tracked by Uber’s executives without their knowing?
The most recent hack was conducted exploiting a weak point in the company’s GitHub, a software code developing platform Uber’s software engineers rely on, resulting in the immediate exposure of login credentials needed to access their Amazon Web Services account. From there it was child’s play for the hackers to gather the necessary info to ask Uber for a ransom. Up to that point the hacking seemed to be another case of a careless company being attacked by extremely lucky wrongdoers. But there was an unexpected – and downright shameful – turn of events: Uber’s executives tried to cover up the ransom as a payment made to ethical hackers who were hired to invade the company’s servers for testing purposes – a reward known as a bug bounty.
Travis Kalanick, the then-CEO of Uber knew about the hack one month after it happened but decided not to report to authorities and especially not to the app’s clientele. Despite the cover-up, he was forced to resign as CEO in June 2017; however, regardless of the gravity of this scandal he still remained in the company’s board – and has remained there to this day. That doesn’t mean there were no consequences, though: Joe Sullivan, former top security official at Facebook and renowned federal prosecutor, was fired from his position of CSO when the case came to public in November 2017.
Cleaning up Uber’s Mess
Since Kalanick’s departure, Dara Khosrowshahi has been Uber’s new chief executive – but even he wasn’t aware of this case until it made it to the public. This forced him to issue a statement, saying that the company will be “changing the way [it does] business” and that they will learn from mistakes to “put integrity at the core of every decision [and] earn the trust of customers” once again. In plain English, he is the one designated by the board to clean up the mess and save the $70 billion taxi ride business. Matt Olsen, former general counsel at the NSA and director of the National Counterterrorism Center was also hired for PR purposes, while cyber security firm Mandiant became responsible for the investigation of the breach.
Another practical measure to be taken is providing the exposed drivers with credit monitoring and free protection for identity theft. This may not seem much, but proper protection is vital to avoid situations similar to the ones occurring right after the 2014 hacker attack when criminals applied for credit using one of the compromised drivers’ name or when a driver saw his IRS tax refund denied due to a fraudulent return filed in his name.
The future seems to hold some serious changes for Uber, but only time will tell whether the company’s credibility will be further affected in a positive or a negative way.
Best VPN Services of 2018