Two hackers, Glover and Mereacre, have pleaded guilty for their extortion scheme to steal sensitive information of 57 million Uber’s passengers and drivers.
According to the statement from the Federal Court, California, the hackers admitted stealing personal information from the ride-hailing service provider that was stored on Amazon Web Services from October 2016 to January 2017 and then demanding a ransom.
After hiding the incident for more than a year, Uber admitted, in November 2017, that two hackers gained unauthorized access to information on Github and stole Uber’s credentials for a separate cloud-services provider, where they were able to download driver and rider data.
The incident was first reported by Bloomberg on November 21, 2017. The company reportedly fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, soon after for concealing the hacking incident.
It was reported that Uber paid hackers US$ 100,000 in ransom to destroy the stolen data to hide the breach that allegedly compromised the personal information of about 57 million passengers around the world in October 2016.
A week after Uber acknowledged a massive data breach, the Washington state Attorney General Bob Ferguson sued the taxi-aggregator for failing to report the incident. On November 28, 2017, Ferguson filed a multimillion-dollar lawsuit against Uber King County Superior Court, alleging that the ride-sharing company violated the state’s revised data breach notification norm.
Ferguson charged civil penalties of up to US$ 2,000 per violation, which could result in millions of dollars if Uber loses. While asking Uber to cover the costs and fees associated with the lawsuit, Ferguson alleged that names and driver’s license numbers of at least 10,888 Uber drivers in Washington state were stolen without their being notified as state law requires.
Uber also faced a fine of £385,000 (US$ 491,284) from the United Kingdom’s Information Commissioner’s Office (ICO) for failing to protect customers’ data and not reporting the breach in a timely manner. The taxi-aggregator was also slammed by the Dutch Data Protection Authority with a fine of €600,000 (US$ 679,257) for the same reason.
The ICO stated the breach allowed hackers to illegally access personal data, including names, email addresses, and phone numbers of 2.7 million Uber customers in the U.K. and 174,000 in the Netherlands.