Uber Allegedly Paid $100K Ransom and Had Hackers Sign NDAs After Data Breach

An anonymous reader quotes a report from CBS News: New details about how Uber responded to a massive hack attack in 2016 raise questions about the way it handled sensitive customer information. Instead of reporting the hackers to police, the company allegedly paid $100,000 in exchange for a promise to delete 57 million user files the men stole off a third party server, prosecutors said. Within weeks of paying the ransom, Uber employees showed up at Brandon Glover's Winter Park, Florida, home and found Vasile Mereacre at a hotel restaurant in Toronto, Canada, the Justice Department said. The pair admitted their crimes, but Uber didn't turn them over to the cops. Instead, they had the hackers sign non-disclosure agreements, promising to keep quiet. The two hackers pleaded guilty on Wednesday.

But there was a third person involved who was unknown to Uber, U.S. attorney for Northern California Dave Anderson told CBS News correspondent Kris Van Cleave in an exclusive interview. Anderson, who investigated the hack, said there's "no way to know definitively" what actually happened to the stolen data. [...] The hackers also targeted a company owned by LinkedIn in December of 2016, but prosecutors say LinkedIn did not pay and promptly reported the hack to police. Uber eventually did as well -- a year after the hack, when new CEO, Dara Khosrowshahi, publicly disclosed the attack. The two known hackers were eventually arrested and pleaded guilty on Wednesday to conspiracy to commit extortion charges. They face a maximum of five years in prison. The third person involved remains at large.

So...

[burtosis]

They disrupted the market and took Uber for a ride... then were promptly rewarded? Somewhere at Uber HQ there must be a massive landfill of problems swept under the corporate rug.

Re:

[paralumina01]

It sounds like grayhat to me.

Re:

[Sibko]

The only thing uncommon about this chain of events is the fact that it got out to the media. Likely a bought and paid hit piece - I've noticed more than a few targeting uber for whatever reason over the last couple years.

In any case, do not think for one second that businesses aren't doing this constantly. Paying off hackers a relative pittance is nothing compared to getting your data back and not having to tell your customers a data breach happened and avoiding fines, litigation, embarassment, and potentia

Corporate Slogan

[crow]

I wish Uber would grow up and drop their corporate slogan, "Do evil." That may have worked for them as a start-up, but it's time to grow up and act like an established business that lobbies and manipulates the law so that they can follow it, while using it to block their competition. They're not a mad scientist in a secret lair anymore.

Ridiculous.

[Anonymous Coward]

Pretty sure there are ex-Spetznaz who would solve that problem quite permanently for less than a hundred grand...

Lawyer fee

[DrYak]

The ex-Spetznaz would indeed probably cost a lot less than the bounty.

Yes, but...

The fee of the lawyers, once the rainfall of litigation (privacy class actions suits regarding the leaks, suspicion of murder due to the disappearance of the hackers, etc.) drops on Uber, after the leaked data is auto-released post-mortem once the (now dead) hacker fail to periodically log in their deadman's switch/vigileance [wikipedia.org] ? Well those are going to definitely exceed the ransom.

So the total cost of the ex-Spetznaz route is a

Uber is prime example of what happens

[Jarwulf]

when a Silicon Valley Corp isn't part of the 'Woke Cult'. Other companies go through these shenanigans and are incompetent all the time and they pass unnoticed through the pages or don't even make the pages of Slashdot and Hacker News. However, Kalanik and the former leadership for whatever reason was one of the very few groups that just wanted to run a tech company weren't 'getting with the program' of far left extremism and constant social justice virtue signaling every other SV company does almost withou

What I want to know ...

[lsllll]

... is that if the hackers were known, why didn't they alert the FBI? If the hackers weren't known, then WTF does an NDA do? For the record, I did not RTFA.

Re:

[weilawei]

Signed confession?

Re:

[PingSpike]

There would have been a news story if they alerted the FBI "Uber lost all your user data". Very embarrassing, and they might get fined or have to pay compensation to the victims! Sure, it barely would have cost them any money even then but its much better PR to just pay 100K to sweep the whole mess under the rug. Sure, some of the victims will be worse off since they have no idea their data was stolen but that wouldn't factor into uber's math.

Re: What I want to know ...

[nategasser]

It's funny/sad that a Silicon Valley company's solution to every problem is "Make them sign an NDA."

Re:

[v1]

Yeah. that's rather silly. Hackers are already not following the law. What kind of idiot thinks a hacker will honor an NDA? If they're paying the ransom in bitcoin, that's to try to stop the victim from figuring out their identity. So did the hackers sign this NDA with their real name? Or is the NDA trying to legally bind Mickey Mouse? Surely they didn't show up in person to sign it?

Just so much stupid, it's almost too much to bear...

Reminds me of others trying to clear legal hurdles with criminals: h [youtube.com]

Why conspiracy ?

[fred911]

Isn't conspiracy an attempt or overt plan to commit a crime? After the crime is executed, why are they only charging them for the plan and not the execution of the crime. What part of this story is missing, or what part of this case is so weak as to not charge the criminal with the actual crime? 5 years for a federal case of multiple counts of wire fraud seems somewhat light.

Re:

[radarskiy]

Those are the charges that they pleaded guilty to as part of their plea agreement. The article does not state if there were any other charges made, or any other potential charges that were held back due to the plea agreement. There is a third conspirator still at large, so holding back charges may be contingent on cooperation with locating that third conspirator.

Also, confounding additional charges is the fact that Uber treated with the extortionists. That may make it harder for their final actions to meet

Vasile Mereacre

[war4peace]

Vasile Mereacre is a Romanian name, last name (Mereacre) is directly translated to English as "Sourapples".

Confirmed now

[campuscodi]

Technically speaking, you don't need to say allegedly after the guy pleaded guilty. Even the new Uber CEO admitted to the payment.

"pleaded guilty"

[astrofurter]

Ahhhh, how I do love the smell of coerced false confession in the morning!

Shout out to LinkedIN...

[nategasser]

...who are mentioned in passing, as having been the victim of a similar attack but promptly reported it instead of paying ransom.

Everybody knows paying ransom only encourages more attacks. Companies need to know we support their decision not to pay.

Good thing they have a (NDA) contract.

[Libertarian_Geek]

I hope they added a clause in the contract to ensure that the criminals wouldn't commit crime against them in the future. Maybe that's how we can get criminals to obey the law. We have them sign contracts.