One such hacker was located in Canada while the other resided in Florida. The primary aggressor was reported to be only 20-years-old.
Statements made by Uber’s chief information security officer John Flynn offer a look behind the curtain of the company’s strategy and transparency commitments. Uber admitted to trying to cover up the 2016 breach for more than a year following the cyber-attack; they ended up paying the hackers $100,000 to “destroy the information” they had held for ransom.
“’It was wrong not to disclose the breach earlier,’ Flynn admitted Tuesday. ‘The company is taking steps to ensure that an incident like this does not happen again, with personnel changes and additional remedial actions.’”
Following the scandal, Uber fired some of its executives and faced a formal federal investigation. It is unknown how many Canadians were affected by the 2016 breach—25 million Americans, however, had been compromised.
The compromised data included identifiers such as “names, email addresses and phone numbers, but Uber has yet to find any proof that trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth” were discovered.
The hackers initially made contact by emailing Uber’s security team. Later, they found out that hackers had gained access to archived Uber databases and files “located on its private cloud storage system on Amazon Web Services.”
They had obtained a credential contained within the application’s code through a third-party code-collaboration site. Uber has ceased most of its private operations on Github, the third-party site.
Flynn believes the hackers began their mission in middle October 2016 and didn’t move forward again until a month later. Flynn also admits the company’s mistake in “not reporting to consumers” nor “law enforcement.”