author photo
By Bruce Sussman
Thu | Nov 7, 2019 | 6:30 AM PST

The story of Uber's 2016 data breach just became even harder to believe.

New court documents reveal that Uber went well beyond paying the hackers to destroy the data they had stolen.

It turns out, Uber made the men sign confidentiality agreements with the company to make sure they kept their mouths shut about the data breach.

Court documents also reveal new information about the chain of events, including hacker tactics, that led to the cyberattack cover-up by Uber. 

Let's dive in, then, to what's new regarding the Uber case.

Uber data breach cover-up, new details

The Uber hackers are Brandon Charles Glover, who is 26 and from Florida, and Vasile Mereacre, who is 23 and from Toronto. Both men recently pleaded guilty in the case.

 As part of the plea agreements, the U.S. Department of Justice revealed new details about how the Uber hack unfolded, including how Uber required them to sign confidentiality agreements.

Uber data breach: details of how it worked

Let's start by taking a look at the data breach details including the approach used by hackers. The DOJ paints a clear picture.

It started with the hackers stealing Uber's AWS credentials, and then crime-as-a-service kicked in:

"With respect to Uber, defendants admitted they provided credentials regarding Uber's Amazon Web Services account to a 'technically proficient hacker.' The hacker identified archive files that contained 57 million Uber user records consisting of customer data and driver data.  

Defendants admitted they illegally accessed and downloaded the records from Amazon Web Services and, on November 14, 2016, contacted Uber claiming to have found a major vulnerability in Uber's computer security systems.  

Defendants provided a portion of the database to prove the information had been exfiltrated and then demanded payment in exchange for deleting the stolen data."  

Uber, as we've heard discussed at our SecureWorld conferences, agreed to pay the hackers to destroy the data, although as a lawsuit against the company says, what good would that do?

"Of course, any agreement that Uber reached with the criminal hackers was meaningless since criminal hackers couldn't possibly be trusted to protect user data. Nor did Uber require any proof that the stolen data was, in fact, deleted. That is because in an age where thousands of copies of digitial information can be made in a second, it is impossible for Uber to know that all copies of the data were in fact destroyed."

Uber demands hackers sign confidentiality agreements

We've known for some time now that the company paid the hackers $50,000 each and put it onto the company books as a "bug bounty payment" so it could remain an internal secret.

Now, the new court documents reveal that Uber's efforts to keep that secret involved clandestine meetings where the hackers lived and the signing of non-disclosure agreements (NDAs):

"The defendants' plea agreements state that on November 16, 2016, Uber agreed to pay $100,000 in bitcoin to the defendants through a third party but that, as part of the agreement, Uber demanded that the defendants also sign a confidentiality agreement.

After three weeks of negotiation, Uber made two $50,000 payments, one on December 8 and the other on December 14, 2016. Then, in January 2017, Uber informed the defendants that it had discovered Glover's true identity.  

On January 3, 2017, a representative from Uber met with Glover at his Florida home, where Glover admitted his role in the data breach exfiltration and signed a confidentiality agreement in his true name. On January 5, 2017, a representative from Uber met with Mereacre at a hotel restaurant in Toronto, Canada, where Mereacre admitted his role in the data breach exfiltration and signed a confidentiality agreement in his true name."

Even after Uber discovered the hackers' true identities and essentially had signed confessions from them, the company did not go to law enforcement. Instead, it effectively said, "Okay, just don't tell anyone."

Moral contrast: hackers try to extort Lynda.com

The hackers also accessed the AWS database of online training site Lynda.com and attempted the same type of extortion that lead to the $100,000 payout from Uber.

"Glover and Mereacre admit that in December of 2016, they possessed information regarding over 90,000 confidential Lynda.com user accounts that the defendants had illegally accessed and downloaded from Lynda.com's Amazon Web Services account.

 On December 11, 2016, defendants emailed a portion of the user account information to the security team at LinkedIn. Defendants also demanded compensation in exchange for deleting the stolen data."

Lynda.com is a LinkedIn company, and the hackers were hoping for another round of cash. Instead, the DOJ says, LinkedIn tried to socially engineer the attackers:

"Rather than pay the bounty, LinkedIn sought to identify the source of the extortionist email. Specifically, LinkedIn tried to lure the writer of the email to enroll with a third party to assist in the negotiation of terms for payment to the defendants. In this way, LinkedIn hoped to identify the extortionist and notify law enforcement of the plot.  

Defendants told LinkedIn's representatives, '[p]lease keep in mind, we expect a big payment as this was hard work for us, we already helped a big corp which paid close to 7 digits, all went well.'  

The defendants stopped communicating with LinkedIn in January 2017, and the company did not pay defendants for the data or for confidentiality."

Perhaps Uber should have taken a Lynda.com course on how to handle hackers trying to extort the company. 

U.S. Attorney David Anderson hopes organizations will certainly learn from this cyberattack.

"Companies like Uber are the caretakers, not the owners, of customers' personal information," Anderson says. "What gets stolen in a computer extortion belongs to your neighbors, not to yourselves.  Don't be so concerned with your image or reputation. Be concerned with the real losses others have suffered. Report the intrusion promptly. Cooperate with law enforcement."

The defendants in this case face up to five years' imprisonment and a fine of $250,000. Both men are free until their sentencing in March 2020.

Uber previously settled a class action lawsuit by U.S. states by agreeing to pay them $146 million.

[RELATED: 8 Things Uber Must Do (Besides Pay) Because of Its Breach Settlement]

Comments