Uber, a global transportation technology company, is facing lawsuits and government investigations after the company hid a cyber breach for a year. According to the City of Chicago’s complaint against Uber, in October 2016, hackers accessed Uber’s code repository at GitHub, which is hosted by Amazon Web Services. Using the repository, the hackers obtained login credentials that allowed them to access the personal information of more than 50 million people.
To keep the breach quiet, Uber reportedly paid the hackers $100,000 and had them sign a non-disclosure agreement. Uber claims the hackers agreed to delete any stolen data. However, Chicago’s attorneys argue that trusting the hackers is “nonsensical.”
Previous Cyber Breach
The breach is not Uber’s first cyber incident. In 2014, hackers comprised Uber’s network by using similar hacking methods. After an investigation, the Federal Trade Commission (FTC) alleged that Uber did not prevent the breach because it failed to take reasonable measures, such as monitoring the network and requiring multi-factor authentication. As a result, Uber entered into a consent order with the FTC promising to take corrective actions that included securing its data and implementing a privacy program.
As plaintiffs are filing lawsuits for violating state breach laws, a group of senators are demanding that Uber provide a detailed timeline of the breach. One senator questioned why Uber chose not to provide forensic information to law enforcement to help them catch the hackers. Meanwhile, Uber announced that it will alert the affected individuals and offer them free identity-monitoring for one year.
For more information, visit Ars Technica and the Federal Trade Commission.