Uber paid hackers to cover up massive data breach

A man arrives at the Uber offices in Queens, New York, US. (Reuters/Brendan McDermid)
Updated 22 November 2017
0

Uber paid hackers to cover up massive data breach

Uber Technologies Inc. paid hackers $100,000 to keep secret a massive breach last year that exposed the personal information of about 57 million accounts of the ride-service provider, the company said on Tuesday.
Discovery of the US company’s cover-up of the incident resulted in the firing of two employees responsible for its response to the hack, said Dara Khosrowshahi, who replaced co-founder Travis Kalanick as CEO in August.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in a blog post
The breach occurred in October 2016 but Khosrowshahi said he had only recently learned of it.
The hack is another controversy for Uber on top of sexual harassment allegations, a lawsuit alleging trade secrets theft and multiple federal criminal probes that culminated in Kalanick’s ouster in June.
The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and license numbers of 600,000 US drivers, Khosrowshahi said.
Uber passengers need not worry as there was no evidence of fraud, while drivers whose license numbers had been stolen would be offered free identity theft protection and credit monitoring, Uber said.
Two hackers gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on software code. There, the two people stole Uber’s credentials for a separate cloud-services provider where they were able to download driver and rider data, the company said.
A GitHub spokeswoman said the hack was not the result of a failure of GitHub’s security.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.
“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Bloomberg News first reported the data breach on Tuesday.
Khosrowshahi said Uber had begun notifying regulators. The New York attorney general has opened an investigation, a spokeswoman said.
Regulators in Australia and the Philippines said on Wednesday they would look into the matter. Uber is seeking to mend fences in Asia after having run-ins with authorities, and is negotiating with a consortium led by Japan’s SoftBank Group for fresh investment. SoftBank declined to comment.
Uber said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week because of their role in the handling of the incident. Sullivan, formerly the top security official at Facebook Inc. and a federal prosecutor, served as both security chief and deputy general counsel for Uber.
Sullivan declined to comment when reached by Reuters. Clark could not immediately be reached for comment.
Kalanick learned of the breach in November 2016, a month after it took place, a source familiar with the matter told Reuters. At the time, the company was negotiating with the US Federal Trade Commission over the handling of consumer data.
A board committee had investigated the breach and concluded that neither Kalanick nor Salle Yoo, Uber’s general counsel at the time, were involved in the cover-up, another person familiar with the issue said. The person did not say when the investigation took place.
Uber said on Tuesday it was obliged to report the theft of the drivers’ license information and had failed to do so.
Kalanick, through a spokesman, declined to comment. The former CEO remains on the Uber board of directors, and Khosrowshahi has said he consults with him regularly.

Crime pays
Although payments to hackers are rarely publicly discussed, US Federal Bureau of Investigation officials and private security companies have told Reuters that an increasing number of companies are paying criminal hackers to recover stolen data.
“The economics of being a bad guy on the Internet today are incredibly favorable,” said Oren Falkowitz, co-founder of California-based cybersecurity company Area 1 Security.
Uber has a history of failing to protect driver and passenger data. Hackers previously stole information about Uber drivers and the company acknowledged in 2014 that its employees had used a software tool called “God View” to track passengers.
Khosrowshahi said on Tuesday he had hired Matt Olsen, former general counsel of the US National Security Agency, to restructure the company’s security teams and processes. The company also hired Mandiant, a cybersecurity firm owned by FireEye Inc, to investigate the breach.
The new CEO has traveled the world since replacing Kalanick to deliver a message that Uber has matured from it earlier days as a rule-flouting startup.
“The new CEO faces an unknown number of problems fostered by the culture promoted by his predecessor,” said Erik Gordon, an expert in entrepreneurship and technology at the University of Michigan’s Ross School of Business.


Saudi Arabia ‘has a case’ in complaint over World Cup ‘politicization’ by Qatar’s BeIN

Updated 19 June 2018
0

Saudi Arabia ‘has a case’ in complaint over World Cup ‘politicization’ by Qatar’s BeIN

  • Broadcast of political messages in coverage forbidden, analyst confirms.
  • Saudi football federation urges FIFA to sanction the Doha-owned channel.

LONDON: Saudi Arabia has a justified case in complaining to FIFA over the “politicization” of the World Cup by the Qatari broadcaster BeIN Sports, a prominent TV analyst has said.
A flurry of comments by hosts and pundits aired on BeIN’s Arabic station prompted the Saudi Arabian Football Federation to complain to FIFA this week, saying the broadcaster was using the football tournament to spread political messages aimed at insulting Saudi Arabia and its leaders.
In its complaint, the federation called on FIFA to take severe sanctions against the Qatari channel and to abolish the rights granted to the network.
One BeIN commentator accused Saudi Arabia of “selling out the Palestinian cause,” while a Doha-based international footballer invited on the channel was allowed to call for an end to the year-long boycott of Qatar by neighbors Saudi Arabia, the UAE, Egypt and Bahrain.
Constantinos Papavassilopoulos, principal TV research analyst at IHS Markit Technology, said that politicized coverage was expressly forbidden by world football’s governing body as well as the Union of European Football Associations (UEFA).
“FIFA and UEFA forbid the transmission of political messages during football matches for which they control the rights. It’s not only comments by the broadcasters — but even banners; everything (political) is forbidden,” the analyst told Arab News.
“So messages about Palestine, about political things, are not allowed.”
Papavassilopoulos said that if there is evidence of such cases, authorities in the Kingdom would be justified in taking the matter to FIFA.
“If there are video clips that show BeIN media personnel speaking against Saudi Arabia, Saudi Arabia has a case,” he said.
But whether FIFA will take any action against BeIN is another matter. Papavassilopoulos pointed to the fact that BeIN is a valued client of FIFA — it bought the rights to host the World Cup across the Middle East and North Africa — and that Qatar plans to host the tournament in 2022.
“BeIN media is a very good client for FIFA. And don’t forget that Qatar is the country that will host the 2022 World Cup,” he said. “It’s going to be very very hard for FIFA to impose penalties on BeIN media knowing that Qatar will hold the next World Cup.”
Some of the biggest names in Arab sport have signed a petition to protest against BeIN’s politicization of World Cup coverage, urging FIFA President Gianni Infantino to investigate the coverage.
FIFA did not immediately respond to a request for comment when contacted by Arab News.