The initial event
In October 2016, the names, emails, and phone numbers of some 57 million Uber users – 50 million riders and seven million drivers – were illegally obtained by a couple of hackers fronted by “John Doughs,” who later turned out to be a 20-year-old from Florida. The hackers obtained code-embedded login credentials to an Uber Amazon Web Services account from a private GitHub site owned and maintained by Uber software engineers. Once the attackers broke into the AWS account, they discovered the trove of Uber rider and driver information, which included 600,000 driver’s license numbers alone. The hackers then emailed Uber’s Chief Security Officer at the time, Joe Sullivan, asking for money.
The revelation of the Uber data breach wasn’t immediate though – nor did it come soon after Uber became aware of the hack. In fact, it was only in November 2017, more than a full year later, that Uber finally disclosed the data breach to the wider public, including the customers and drivers directly impacted by the data breach.
In contrast, Uber’s then-CEO, Travis Kalanick, learned about the hack soon after it happened, the context surrounding his discovery would become highly relevant during the crisis. Uber had just settled a lawsuit with the New York Attorney General’s Office over data security disclosures. The company was also in the midst of negotiating with the U.S. Federal Trade Commission over the handling of consumer data.
Download the guide to continue reading >>