Breach Notification , Cybercrime , Fraud Management & Cybercrime
Two Uber Hackers Plead GuiltyPair Extorted $100,000 From Ride-Sharing Service After Data Breach
Two hackers have pleaded guilty in connection with an extortion campaign tied to the theft of data on about 57 million Uber customers and drivers. The incident led to a massive fine against the ride-sharing company for its tardy breach notification and weak security.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The defendants, Brandon Charles Glover, 26, of Winter Springs, Florida, and Vasile Mereacre, 23, of Toronto, also tried to blackmail Lynda.com, now known as LinkedIn Learning, prosecutors say.
Both pleaded guilty in a California federal court Wednesday to one count of conspiracy to commit extortion. They now face up to five years in prison and a fine of $250,000. A status conference regarding sentencing is set for March 18, 2020
In their plea agreements, the defendants admitted to engaging in a conspiracy to use stolen credentials to gain access to confidential corporate databases from October 2016 to January 2017. They admitted to using the stolen data to extort bitcoin ransom payments from Uber in exchange for permanent deletion of the records. Uber paid the hackers $100,000 in bitcoins in an attempt to cover up the issue, but did not reveal the breach until November 2017.
The hackers also targeted Lynda.com, an online learning platform that's a subsidiary of LinkedIn, gaining access to data on over 90,000 users and attempting to extort money, according to court documents. But Lynda.com declined to pay the ransom and warned its customers about the data breach, authorities say.
"We’re dealing with the most sophisticated cyber actors in the world," said John Bennett, an FBI agent who investigated the case. "In order to take on those people on the front lines of the cybersecurity battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries."
Reputation at Stake
At Wednesday's hearing, David L. Anderson, the U.S. attorney for the Northern District of California, warned tech firms to not be concerned about their "reputation" following a breach and requested that these companies be prompt in reporting instances of data theft.
"Companies like Uber are the caretakers, not the owners, of customers’ personal information,” Anderson said. "What gets stolen in computer extortion belongs to your neighbors, not to yourselves. Don’t be so concerned with your image or reputation. Be concerned with the real losses others have suffered. Report the intrusion promptly. Cooperate with law enforcement.”
Uber did not immediately reply to a request for comment.
Compromised Amazon S3 Buckets
In these two hacks, the court documents note the hackers first gained access to the companies' databases that were stored on Amazon's S3 storage service to access information such as names, email addresses and phone numbers.
Glover and Mereacre notified the two companies of the breaches and demanded money in exchange for deleting the stolen data, prosecutors say. To induce payments from both Uber and Lynda, the hackers then sent samples of the stolen data to the firms as proof of the hack, according to court documents.
Uber's Cover-up Raises Data Privacy Concerns
Uber's decision to quietly pay off the hackers and its failure to promptly notify regulatory agencies such as the Federal Trade Commission about the breach led to scrutiny (see: Uber Concealed Breach of 57 Million Accounts for a Year )
In February 2018, Uber CISO John Flynn testified before the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security and admitted that Uber should have notified the public sooner about the breach (see: Uber: 'No Justification' for Breach Cover-Up )
In September 2018, Uber reached a $148 million settlement agreement with the attorneys general of all 50 states and the District of Columbia over its failure to report the 2016 breach and its inadequate security (see: Uber Reaches $148 Million Breach Settlement With States )