Uber Hackers Hailed From Canada And Florida

The hackers behind the 2016 data breach of rideshare startup firm Uber were located in Canada and Florida, according to Reuters reports published Tuesday (Feb. 6). The breach, which impacted nearly 57 million accounts worldwide, resulted in compromised names, phone numbers, email addresses and drivers’ licenses, but excluded Social Security and credit card numbers.

Approximately 25 million U.S. residents were impacted by the breach, 4.1 million of which were company drivers, testimony from John Flynn, Uber’s chief information officer, recently revealed to a Senate Commerce Committee panel. As a result, recently appointed CEO Dara Khosrowshahi was tasked with firing two of the company’s top security officials.

A 20-year-old male was behind the breach, and was paid by Uber to destroy what he hacked in a “bug bounty” that was created to reward researchers who found unknown security issues. The man’s partner, who first contacted Uber about the issue in November 2016, demanded a payment from his location in Canada. The duo’s efforts resulted in a $100,000 payout to destroy the evidence.

Neither the hack, which impacted 57 million users’ data worldwide, nor the ransom were made known to the public at first, resulting in widespread criticism once both were revealed at a much later date.

“We made a misstep in not reporting to consumers, and we made a misstep in not reporting to law enforcement,” Flynn said in his comments to the Senate Committee.

Many bystanders were upset with the lack of disclosure, particularly lawmakers.

“The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” remarked Republican Jerry Moran.

The hack and lack of disclosure was called “morally wrong and legally reprehensible” by Democratic Senator Richard Blumenthal, who also noted Uber had failed to comply with state rules by not making the data breach known sooner.