Enormous, but hidden Uber 2016 data breach goes public

21.08.2020

Back to news

Around 600,000 of driver license numbers as well as names, email addresses, phone numbers of 57 million Uber riders and drivers were exposed as a consequence of 2016 Uber Technologies data breach.

The federal prosecutors of the US charged Uber’s former chief security officer, Joe Sullivan for his attempt to cover-up this massive breach. In case Sullivan found guilty, he could face up to eight years in prison, as well as potential fines of up to $500,000.

U.S. Department of Justice communicates that chief security officer endeavored to conceal, deflect, and mislead the Federal Trade Commission (FTC) about the breach in the ride-hailing company. 

It is proved that he even paid hackers $100,000 ransom to prevent the incident from taking the limelight.

In the process of investigation, two more names popped up, namely, Brandon Charles Glover and Vasile Mereacre from Florida and Toronto correspondingly. They were the two hackers responsible for the incident to whom Sullivan approved paying money in exchange for promises to delete data of customers they had stolen.

The storyline kicked off in November 2016 when Sullivan, as a representative for Uber Technologies, was responding to Federal Trade Commission inquiries regarding a previous data breach incident happened in 2014. At the very same time, malicious hackers named Brandon and Vasile contacted him regarding the new data breach.

Sullivan made an effort to pass one thing off as another paying the ransom through a bug bounty program to register the blackmailing payment as bounty for white-hat hackers whose purpose is to help detecting weak points in a company’s security.


To know how to prevent this type of incidents read more about SearchInform FileAditor.


The storyline:

November 14, 2016: Sullivan receives an email from a hacker informing him that Uber has been breached again. Within 24 hours Sullivan's team confirmes the breach. Rather than report another massive breach, Sullivan decides to withhold this information, thus misleading the Federal Trade Commission.

December 2016: Uber pays $100,000 in BitCoin to the unknown hackers (they refused to provide their true names). Later, the federal prosecutors revealed that Sullivan even wanted the hackers to sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data. The funny thing here is that after Uber’s team was able to identify the names of the hackers, Sullivan arranged for the hackers to sign new copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained. 

November 2017: Uber's new management discovers the truth and after Sullivan’s layoff - roughly a year - makes the breach public both for customers and Federal Trade Commission.

2019: Both hackers were pleaded guilty for hacking and blackmailing Uber, LinkedIn, and other U.S. corporations. To be precise the company unveiled the leakage of sensitive data of 57 million of Uber costumers.