Contact Us      General Enquiries: +44 (0) 1273 834 000   Support / Service Desk: +44 (0) 113 360 9696

PAV IT

  • About Us
    • Careers
    • Our Green Credentials
    • Privacy Policy
  • IT Certainty
    • Legal and Accountancy
    • Manufacturing Sector
    • Retail Sector
    • Case Studies
    • Customer Testimonials
  • Services
    • Backup and Disaster Recovery
    • IT Support Monitoring
    • Project Delivery
    • Cloud Services
    • Application Packaging
    • Pavilion Service Credits
  • News & Events
    • BLOG
    • Events
    • Newsletters
    • News
  • Technology Solutions
    • Communication and Collaboration
    • Modern Workspaces
    • Data and Governance
CONTACT SALESsupport
  • Home
  • Our latest Blogs
  • Blog
  • Hackers plead guilty to breach that Uber covered up
June 25, 2022

Hackers plead guilty to breach that Uber covered up

Friday, 01 November 2019 / Published in Blog, Sophos

Hackers plead guilty to breach that Uber covered up

Hackers plead guilty to breach that Uber covered up

by Sophos Naked Security Author Lisa Vaas

Remember when Uber was hacked but paid the hackers $100,000 in hush money to delete the data and zip their lips about it?

The two guys who did the hack, they’re going down.

Brandon Charles Glover, 26, of Florida, and Vasile Mereacre, 23, of Toronto, each pleaded guilty on Wednesday in a San Jose court house in California to one charge of conspiracy to commit extortion involving computers. Specifically, they pleaded guilty to stealing companies’ personal information that was stored on Amazon Web Services from October 2016 to January 2017 and then demanding money to destroy their copies of the data.

They each face up to five years in prison and a fine of $250,000 and will be sentenced in March 2020. Maximum sentences are rarely handed out.

With the guilty pleas, Uber’s elaborate coverup has been dragged back into the limelight.

The data of 57 million drivers and customers was stolen in the 2016 data breach. Uber not only kept the breach secret from the victims, it also paid $100,000 in hush/delete-the-data money, as in, $50,000 to each of the two crooks.

Uber paid off crooks whose identities it had already figured out

This was after the company had already discovered Glover’s true identity, sent an Uber rep down to Florida to meet with him and get him to sign a nondisclosure agreement in his true name on 3 January 2017, and, two days later, likewise sent a rep to a restaurant in Toronto to meet with Mereacre and get him to sign an NDA in his real name, too.

It wasn’t until 10 months later, in November 2017, that Uber told riders and drivers that it had lost control of their personal information and that it had fallen into the hands of crooks. The company not only hid the breach from those affected, but also from the Federal Trade Commission (FTC) while the watchdog was investigating Uber over a separate database hack, from 2014.

Both the 2014 and the 2016 hacks were made possible by the same exact security fail: in both breaches, Uber’s engineers left the keys to the castle – a key to Amazon Web Services S3 cloud servers – sitting around, publicly available, on GitHub.

According to the Department of Justice (DOJ), they actually used their success with Uber as a selling point. When trying to extort the LinkedIn-owned education company Lynda, the hackers said:

Please keep in mind, we expect a big payment as this was hard work for us, we already helped a big corp which paid close to seven digits, all went well.

LinkedIn didn’t play ball. Instead, it tried to identify the extortionists and called in the cops.

US Attorney David Anderson was none too impressed by Uber’s attempt to sweep the attack under the rug. From a statement:

Companies like Uber are the caretakers, not the owners, of customers’ personal information.

What gets stolen in a computer extortion belongs to your neighbors, not to yourselves. Don’t be so concerned with your image or reputation. Be concerned with the real losses others have suffered. Report the intrusion promptly. Cooperate with law enforcement.

Original article can be found here: https://nakedsecurity.sophos.com/2019/11/01/hackers-plead-guilty-to-breach-that-uber-covered-up/

Tagged under: #networksecurity, bruteforce, cyberawareness, cybersecurityawareness, cybersecuritynews, cybersecuritytips emailsecurity, databreach, dataprotection, datasecurity, itsecurity, malware, ransomware

What you can read next

cybersecurity best practices
12 Cybersecurity Best Practices To Adopt In 2021
PAV i.t Services September Newsletter
PAV i.t Services September Newsletter 📰
blog_header_july_newsletter
IT’s About Time…for our July newsletter!

Recent Posts

  • Sophos Event Blog Header

    Better cyber protection doesn’t have to cost you more

    Most campaigns that vendors / resellers run is ...
  • Cyber Insurance Blog

    Cyber insurance: there’s bad news and there’s good news

    The threat environment is more challenging than...
  • Evolving Cyberattacks header

    How Common Types of Cyberattacks are Evolving

    Cyberattacks are ever changing. Read about cybe...
  • Watchguard MFA Header

    Protecting User Identity and Securing Business Trust with Multi-Factor Authentication

    THE EVOLUTION OF AUTHENTICATION – HOW WE GOT HE...
  • CRN Nomination 2022 Header

    CRN Best Company to Work For Nomination 2022

    Why is your company such a great place to work?...

Categories

  • Applications
  • Blog
  • Cisco
  • Commvault
  • Events
  • Legal
  • Manufacturing
  • Microsoft
  • Mimecast
  • Networking
  • News
  • Newsletters
  • Other News
  • Retail
  • Sophos
  • Watchguard

pavilion logo small

A leading IT infrastructure solution and support provider that has been delivering flexible and modular solutions and consultancy to businesses across the UK since 1988.

GET IN TOUCH

  • General Enquiries: +44 (0)1273 834 000
  • Support Desk: +44 (0)1273 834 433
  • Email: info@pav.co.uk
  • PAV I.T. Services
  • The Old Corn Mill, Bullhouse Mill
  • Lee Lane, Millhouse Green
  • Sheffield S36 9NN
  • View on Google Maps
  • About Us
    • Careers
    • Our Green Credentials
    • Privacy Policy
  • IT Certainty
    • Legal and Accountancy
    • Manufacturing Sector
    • Retail Sector
    • Case Studies
    • Customer Testimonials
  • Services
    • Backup and Disaster Recovery
    • IT Support Monitoring
    • Project Delivery
    • Cloud Services
    • Application Packaging
    • Pavilion Service Credits
  • News & Events
    • BLOG
    • Events
    • Newsletters
    • News
  • Technology Solutions
    • Communication and Collaboration
    • Modern Workspaces
    • Data and Governance

Pav IT © 2022 All rights reserved.

  • GET SOCIAL
TOP