Uber disguised $100,000 hacker payoff as bug bounty, claims Reuters

Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
Remember the 2017 Uber breach?
The one that was actually discovered in 2016, except that Uber conveniently forgot about it for a year before admitting, “Well, yes, now you mention it, some records did get taken.”
57,000,000 records in all, apparently, including – for Uber drivers, at least – data such as driving licence and vehicle registration details.
From a regulatory point of view, Uber ought to have reported this breach promptly in many jurisdictions around the world, rather than hushing it up; in the UK, for example, the Information Commissioner’s Office (ICO) has variously stated:
网络安全法普法宣传 004《网络安全法》的突出亮点
Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics. [2017-11-22T10:00Z]
It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies. [2017-11-22T17:35Z]
Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK. Uber has said the breach involved names, mobile phone numbers and email addresses. [2017-11-29]
Sophos Home
Free home computer security software for all the family
Learn More
At the time the breach news broke, it also emerged that Uber had paid $100,000 in what was effectively hush money to the hacker or hackers behind the breach, making it possible for Uber to sweep the breach under the carpet.
We speculated at the time how this payout might have been orchestrated:
It’ll be interesting to see how the story unfolds – if the current Uber leadership can unfold it at this stage, that is. I suppose you could wrap the $100,000 up as a “bug bounty payout”, but that still leaves the issue of “very conveniently deciding for yourself that it wasn’t necessary to report it”.
Well, if an exclusive investigation published recently by Reuters has it right, then so did we: Reuters claims that the payoff was indeed made to look like a bug bounty payout.
Bug bounties are official rewards offered by companies to researchers who find security bugs, flaws, holes and problems, but this sort of payout is offered within a legal framework that – for obvious reasons – puts limits on exactly where bounty hunters should go, and how they should behave.
Deliberately hacking a live system in a way that is likely to crash it just to prove a point is understandably off-limits; so too is using unlawful techniques to achieve a result – stealing a physical server, for example, or threatening an employee to extract a password.
Another unlawful no-no is actually cracking into a server, stealing a giant pile of data and then offering the data back for what amounts to a ransom, even if that ransom payment would also lead to finding and fixing the security hole.
But Reuters is insisting that is pretty much how it played out in the Uber case.
According to Reuters, the attack and breach went something like this: the hacker who was ultimately paid off by Uber contracted a “researcher” to dig out Uber passwords on GitHub; those passwords led to the 57 million records; Uber then received “an email […] demanding money in exchange for user data”.
Of course, even if that wasn’t quite how it what happened, or if calling this a bug bounty payout is ultimately deemed ethically acceptable…
…there’s still the issue that we described above, namely the matter of Uber very conveniently deciding unilterally that it wasn’t necessary to report the breach.
Over here in the UK, we’ll be very interested to see what the ICO has to add to its earlier warnings.



网络安全法在线讲解-《网络安全法》的突出亮点 https://v.qq.com/x/page/u0514qmyllg.html
湖南15岁大一新生在寝室斗殴死亡 6名学生被拘留