This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.nytimes.com/2017/11/21/technology/uber-hack.html

The article has changed 8 times. There is an RSS feed of changes available.

Version 0 Version 1
Uber Discloses Data Breach, Kept Secret for a Year, Affecting 57 Million Accounts Uber Discloses Data Breach, Kept Secret for a Year, Affecting 57 Million Accounts
(about 3 hours later)
SAN FRANCISCO — Uber on Tuesday disclosed it was the victim of a data breach last October that affected 57 million driver and rider accounts and that it fired its chief security officer, Joe Sullivan, for keeping the breach a secret for more than a year. SAN FRANCISCO — In November 2016, Uber executives faced an expensive and risky decision.
The ride-hailing company said information on driver and rider names, emails and telephone numbers had been compromised by the attack. After the breach, two hackers approached Uber demanding payment for the stolen data and proof of the deletion of the data. Uber did not make the breach public and instead paid the hackers $100,000 to ensure the stolen data was expunged. Two hackers had stolen data about the company’s riders and drivers including phone numbers, email addresses and names from a third-party server, putting the personal data of more than 57 million people at risk. The hackers approached Uber and demanded $100,000 to delete their copy of the data, according to several current and former employees, who spoke on the condition of anonymity because the details are private.
The issue came to light in recent months after an investigation by Uber’s board into the company’s past, in which board members looked at several internal practices. Dara Khosrowshahi, who was chosen to be the chief executive in late August, said he only recently learned of the incident and decided to take action. Uber acquiesced to the demands. Under the orders of Travis Kalanick, who was then its chief executive, and Joe Sullivan, the chief security officer, the company paid the ransom.
Then Uber went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” — a common practice among technology companies in which they pay hackers attack their software to test for soft spots.
The details of the attack remained hidden until Tuesday, when the ride-hailing company disclosed the breach after it was discovered as part of a board investigation into Uber’s business practices. Mr. Sullivan and one of his colleagues were fired. Mr. Kalanick was pushed out in June after a series of scandals led to his falling out of favor with major shareholders, although he remains on Uber’s board of directors.
The breach at Uber is far from the most serious exposure of sensitive customer information. The two hacks that Yahoo announced in 2016 eclipse Uber’s in size and an attack disclosed in September by Equifax, the consumer credit reporting agency, exposed a far deeper trove of personal information for a far larger group of people.
But the handling of the hack underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws. The New York attorney general’s office said on Tuesday that his had opened an investigation into the matter.
Dara Khosrowshahi, who was chosen to be chief executive of Uber in late August, said he only recently learned of the breach.
“None of this should have happened, and I will not make excuses for it,” Mr. Khosrowshahi said in a company blog post. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”“None of this should have happened, and I will not make excuses for it,” Mr. Khosrowshahi said in a company blog post. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
The revelation of the breach and the way it was kept quiet raises more questions about the tenure of Travis Kalanick, Uber’s co-founder who was chief executive at the time of the breach. A spokeswoman for Mr. Kalanick declined to comment.
Mr. Kalanick began 2017 on a high note as chief executive of the most valuable privately held start-up in the world, but that rapidly fell apart after Uber came under scrutiny for its workplace culture. The New York Times also reported on a secret program called Greyball that had been undertaken under Mr. Kalanick’s watch, in which Uber staff members surveilled some law enforcement in order to evade them. The revelation of the breach and the way it was kept quiet renewed questions about the tenure of Mr. Kalanick, who has faced criticism over his management style and practices after Uber came under scrutiny for its workplace culture this year. The New York Times also reported on a secret program called Greyball that had been undertaken under Mr. Kalanick’s watch, in which Uber staff members surveilled law enforcement officials in order to evade them. Since his exit as chief executive, he has been sued by one of Uber’s earlier investors for fraud.
By June, some of Uber’s shareholders were agitating for Mr. Kalanick’s exit. That month, he stepped down under pressure, but has since fought to retain control of several board seats. Benchmark, a venture capital firm that is one of Uber’s earliest investors and had been a supporter of Mr. Kalanick, sued the former C.E.O. for fraud. The breach is also a black mark for Mr. Sullivan, who cut a high-profile figure in the information security industry. Mr. Sullivan joined Uber as the company’s first chief security officer in 2015, after serving as the head of security at Facebook for seven years.
A spokeswoman for Mr. Kalanick declined to comment. Bloomberg earlier reported the hack. Unlike many cybersecurity executives, Mr. Sullivan was previously a lawyer and had studied cyberlaw at the University of Miami. He began his career in the technology industry as a federal prosecutor during the tech boom of the late 1990s, working at companies including eBay in 2002, where he was head of trust and safety.
Mr. Sullivan’s decision to join Uber was seen as a win for the company. As Uber’s ranks of drivers and riders had grown, people inside and outside of the company became worried about privacy and security. Uber had faced complaints about driver and rider assaults, as well as allegations that it was not doing enough to protect rider data. Mr. Sullivan was tasked with keeping drivers and riders safe.
The other Uber employee who was fired alongside Mr. Sullivan was Craig Clark, the company’s legal director of security and law enforcement. Neither Mr. Sullivan nor Mr. Clark responded to requests for comment.
The company’s decision to conceal the hack and pay the ransom quickly raised questions among cybersecurity experts. Many have repeatedly warned companies against paying hackers a ransom to cover up breaches or return stolen data, advice that was included in a 2016 statement from the F.B.I. And several states including California have laws mandating that companies disclose when they are breached by hackers.
“Companies are funding organized crime, an industry of criminals is being created,” said Kevin Beaumont, a cybersecurity expert based in the United Kingdom. “The good guys are creating a market for the bad guys. We’re enabling them to monetize what years ago would have been teenagers in bedrooms breaching companies for fun.”
Uber has experienced hacks before. The company was hit with a data breach in May 2014, an event Uber discovered later that year and disclosed in February 2015. In that attack, the names and drivers licenses of more than 50,000 of the company’s drivers were compromised.
This latest breach puts Uber in another difficult situation just as the company is working to repair its battered image and preparing to seek an initial public offering in 2019. Mr. Khosrowshahi has characterized his tenure at the company as “Uber 2.0.” As part of that, he has tossed out the aggressive corporate values that were prized by Mr. Kalanick and given the ride-hailing service a new list of values that includes “doing the right thing. Period.”
Uber has hired Matt Olsen, former general counsel at the National Security Agency, as an adviser, and has retained Mandiant, a security firm, to conduct an independent investigation of the hack. Uber said Mr. Olsen planned to restructure the company’s security team.
But the damage has already been done, and Uber officials are aware of the long road back to good standing with the public.
“Reputation damage of a breach is now a higher concern to executives than the actual attack,” Melanie Ensign, a privacy and security communications employee for Uber, said in a tweet in April 2016.