Uber – Uber’s Massive Data Breach; $100K Ransom Payment

Uber – Uber’s Massive Data Breach; $100K Ransom Payment

Uber – Uber Allegedly Paid Hackers To Delete Stolen Data 

Kehoe Law Firm, P.C. is investigating claims related to a massive data breach of sensitive personal information from transportation company Uber.

According to The New York Times:

Uber disclosed . . . that hackers had stolen 57 million driver and rider accounts and that the company had kept the data breach secret for more than a year after paying a $100,000 ransom.

The deal was arranged by the company’s chief security officer and under the watch of the former chief executive, Travis Kalanick, according to several current and former employees who spoke on the condition of anonymity because the details were private.

The security officer, Joe Sullivan, has been fired. Mr. Kalanick was forced out in June, although he remains on Uber’s board.

The two hackers stole data about the company’s riders and drivers — including phone numbers, email addresses and names — from a third-party server and then approached Uber and demanded $100,000 to delete their copy of the data, the employees said.

Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.

Uber – Data Hack Details Remained Hidden

According to The New York Times, the details of the attack remained hidden until Tuesday. The ride-hailing company said it had discovered the breach as part of a board investigation into Uber’s business practices.

Uber Has Experienced Other Data Breaches

The New York Times also reported that Uber has experienced breaches before. The company was hit with a data breach in May 2014, an event Uber discovered later that year and disclosed in February 2015. In that attack, the names and driver’s licenses of more than 50,000 of the company’s drivers were compromised. Further, The New York Times reported:

While it is not illegal to pay money to hackers, Uber may have violated several laws in its interaction with them.

By demanding that the hackers destroy the stolen data, Uber may have violated a Federal Trade Commission rule on breach disclosure that prohibits companies from destroying any forensic evidence in the course of their investigation.

The company may have also violated state breach disclosure laws by not disclosing the theft of Uber drivers’ stolen data. If the data stolen was not encrypted, Uber would have been required by California state law to disclose that driver’s license data from its drivers had been stolen in the course of the hacking.

What Can Individuals Do If They Believe Their Personal Information Has Been Compromised?

If you believe your personal information may have been exposed or compromised due to the Uber data breach, please complete the form to the right or contact either John Kehoe, Esq., (215) 792-6676, Ext. 801, [email protected]; Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected]; or send an e-mail to [email protected].

About Kehoe Law Firm, P.C.

The Kehoe Law Firm, P.C. is a multidisciplinary, plaintiff–side law firm dedicated to protecting investors and consumers from corporate fraud, negligence, and other wrongdoing. Driven by a strong and principled sense of social responsibility and obtaining justice for the aggrieved, Kehoe Law Firm, P.C. represents plaintiffs seeking to recover investment losses resulting from securities fraud, breaches of fiduciary duty, corporate wrongdoing or malfeasance, those harmed by anticompetitive practices, and consumers victimized by fraud, negligence, false claims, deception, data breaches or whose rights to minimum wage and overtime compensation under the federal Fair Labor Standards Act and state wage and hour laws have been violated.