Uber quietly paid hackers $100,000 late last year to delete personal data the cyber criminals had stolen from 57 million riders and drivers – and the rideshare giant said it feels “assured” the hackers kept their word. But experts say it is impossible to know whether copies could exist.
In Oct. 2016, after learning of the breach, Uber’s team tracked down the hackers and paid them to destroy the data, which included names, phone numbers, and email addresses for 50 million riders globally and 7 million drivers in the United States. Of those drivers, 600,000 also had their driver’s license numbers exposed.
An Uber spokesperson declined to comment on why the company was confident the personal records were destroyed, but the New York Times reported that as part of the deal, the hackers agreed to sign non-disclosure agreements.
Bargaining with hackers over ransomware – when cyber thieves lock up your files and hold them hostage for money or Bitcoin – is incredibly common, according to experts. However, the security experts NBC News spoke with said that although there are some unanswered questions, Uber’s tactic of negotiating with criminals and then not publicly disclosing the breach is highly unusual.
“It is all but desperation and a leap of faith and keeping one’s fingers crossed that the criminals are people of their word,” Robert Siciliano, CEO of IDTheftSecurity.com, told NBC News. “When engaging criminals in a demand of extortion, an individual or company would be doing this as a last resort because they didn’t protect their data in the first place, they hadn’t backed up the information, or the data that could be leaked was disparaging.”
Shuman Ghosemajumder, chief technology officer of Shape Security and Google’s former click-fraud czar, told NBC News he doesn’t believe there’s any way Uber could ever be sure the files were deleted.
“When you are talking about something that is downloaded and stored on computer systems, there are so many different ways you can make a copy that would be impossible to know,” he said.
Regardless, he believes Uber could have mitigated the breach by disclosing it as soon as it happened.
“The data breach itself is not as bad as many data breaches that have happened over the past few years. It doesn’t have passwords like Yahoo – or social security numbers, like Equifax,” he said.
While Uber CEO Dara Khosrowshahi said the breach – which did not occur under his tenure – should have been disclosed, Uber does have one thing going for it that may bring some peace of mind: time.
Over the past year, there haven’t been any reported instances of fraud or misuse tied to the breach, according to Khosrowshahi.
The company is also flagging affected accounts for additional fraud protection and are offering free credit monitoring and identity theft protection services to the U.S.-based drivers who had their driver’s license numbers exposed.
But the disclosure – one year later – is fueling even more questions about why Uber wanted to cover it up and whether the $100,000 payout could incentivize more hackers to act.
“The more criminals are incentivized, it makes our job harder,” Michael Reitblat, an online fraud expert and CEO of fraud protection company Forter, told NBC News. “We shouldn’t be negotiating with cyber criminals.”
One way to positively incentivize hackers is through bug bounty programs, which encourage ethical hackers to help find flaws in a company’s website or product. A growing number of companies, from Uber to Tesla and Apple, are using bug bounties as another layer of security.
However, according to data shared online by HackerOne, the platform Uber uses to facilitate its program, the company’s highest bounty is in the $4,000 to $10,000 range – a far cry from the $100,000 ransom the rideshare giant forked over.