back to article Uber: Hackers stole 57m passengers, drivers' info. We also bribed the thieves $100k to STFU

Uber's CEO Dara Khosrowshahi today revealed hackers broke into the ride-hailing app's databases and stole personal information on 57 million passengers and drivers – information including names, email addresses, and phone numbers. And the cyber-thieves made off with 600,000 US driver records that included their license numbers …

  1. JohnFen
    FAIL

    Rotten to the core

    Uber has been operating as a criminal enterprise for years, so this revelation is hardly shocking. In my opinion, criminality is so baked into the Uber culture that the first thing required to begin to change it is a complete replacement of the the board of directors and all of upper management. The rot has been there for so long, and is so deep, that it's hard to see how real change is possible without that.

    1. veti Silver badge

      Re: Rotten to the core

      And they've got a new CEO, and he's firing C-level people in an effort to clean house.

      Look, I despise Uber as much as the next person. I still take taxis. But for pete's sake, if the company is trying to clean up its act, at least give it credit for what it does.

      Otherwise it'll have no incentive to change its ways, because it gets condemned either way.

      1. Anonymous Coward
        Anonymous Coward

        'at least give it credit for what it does.'

        Fuck Uber.... Annihilation of all competition while ripping everyone's privacy to sheds is their sole and only goal!

        ~~~

        https://www.nakedcapitalism.com/2016/12/can-uber-ever-deliver-part-four-understanding-that-unregulated-monopoly-was-always-ubers-central-objective.html

        ~~~

        https://www.theregister.co.uk/2017/08/15/uber_ftc_settlement/

        https://www.theregister.co.uk/2014/11/20/senator_franken_uber_privacy_probe/

        https://www.theregister.co.uk/2017/04/24/uber_cloaked_its_spying_but_apple_gave_it_a_wrist_slap/

        https://www.wired.com/insights/2015/01/uber-privacy-woes-cautionary-tale/

        http://www.firstpost.com/business/android-phone-ubers-new-privacy-policy-will-spook-2269042.html

        https://www.theregister.co.uk/2015/06/22/epic_uber_ftc/

      2. Charlie Clark Silver badge

        Re: Rotten to the core

        Otherwise it'll have no incentive to change its ways, because it gets condemned either way.

        What is the purpose of Uber the company if not to screw other people?

        1. Anonymous Coward
          Anonymous Coward

          Re: Rotten to the core

          "What is the purpose of Uber the company if not to screw other people?"

          The transfer of wealth from poorer people to richer people. Trickle up economics, in fact.

          Poor people getting screwed is incidental. In fact, I doubt it ever occurred to the founders because, for entitled bros, poor people don't really exist until you want the trash taken out. Or cheap drivers.

      3. JohnFen

        Re: Rotten to the core

        "And they've got a new CEO, and he's firing C-level people in an effort to clean house."

        Neither of which amount to a new board and upper management. I understand that the CEO says he's trying to clean house, and if that's true, then I applaud the effort. However, I don't see how that means that the company should escape criticism, and I don't see how that means the company should be viewed with any less skepticism than before.

        If/when Uber manages to become at least a minimally ethical company, I'll praise them for it. But not before.

    2. Anonymous Coward
      Anonymous Coward

      Re: Rotten to the core

      complete replacement of the the board of directors and all of upper management

      Would that be enough? All the mid level managers and even employees have operated in the shadow of the crooks, gropers and idiots. You can have organisations where only the management are corrupt (I've worked for some), but I'd imagine that the "Uber way" has been baked in from its days as a start up. As much as anything else, there's been so much dirt that Uber has kicked over itself, and yet the current employees have acquiesced, and continued to work there. What does that tell us?

      IMHO the only solution is to close down Uber as a corporation, and sell the IP to somebody willing to start the business from scratch, using the same platform and consumer offer, but with 100% different people. But I can't see that happening.

      1. israel_hands

        Re: Rotten to the core

        The problem runs deeper than just he amoral dipshits running it though. The entire business model is fucked from the start, something rotten and diseased that can only exist by feeding billions into the cash furnace at its heart while trying to hide itself in the cracks between laws and regulations.

        They lose something like 40% on every fare, they don't employ people properly and have been found guilty of dicking them over on even the amounts they do pay them. They avoid almost all taxes, don't put anything back into the system in terms of providing standard benefits for the drivers they claim not to employ. Changing the names of the bellends in charge won't fix any of that, and if they do start operating as an actual company, paying taxes and abiding by regulations they'll lose even more money than they are now.

        1. Peter2 Silver badge

          Re: Rotten to the core

          I wouldn't say it's totally fucked as a business model. If it manages to force the taxi companies paying taxes and properly employing their drivers out of business, then Uber becomes a total monopoly and can then jack prices up to take advantage of being a monopoly.

          It's certainly rotton and diseased as a company and business model. The biggest surprise is that the people who usually claim to be for protecting the oppressed via worker protections and rules and regulations are actually the biggest supporters of Uber and are loudly agitating to prevent governments from taking action to protect companies playing by the rules.

          1. Eddy Ito

            Re: Rotten to the core

            I wouldn't say it's totally fucked as a business model. If it manages to force the taxi companies paying taxes and properly employing their drivers out of business, then Uber becomes a total monopoly and can then jack prices up to take advantage of being a monopoly.

            That's a crappy business model. Forcing taxi companies out of business by hemorrhaging vast sums of cash is pretty stupid and not sustainable. One might think that once they have a monopoly they could raise their fees but they have already slit their own throats. The only reason taxi companies had a monopoly was because of "the rules" and government limiting who could enter the market space by use of the ever precious medallions. Once that government repression is eliminated and the market is wide open and anyone with a car and an app can then enter the market and compete, like Lyft, there can be no monopoly. Monopolies really only thrive when they have government backing which is also why the phone company was a monopoly for such a long time.

            Uber's main problem has been that it has been so Machiavellian in how it goes about trying to undercut laws and hinder competitors that it mostly forgot about what the original goal was. It went from providing a service to blindly adopting win at all costs tactics that are ultimately self destructive as we've witnessed in these first stages of collapse. At this point it really needs a hard reboot with a refreshed business plan and a lot of chlorine to sanitize the corporate culture. The question is whether they will succeed in turning it around before investors decide to cut their losses and likewise the flow of cash currently running into the furnace.

          2. DanceMan

            Re: The biggest surprise is that the people who usually claim

            "The biggest surprise is that the people who usually claim to be for protecting the oppressed via worker protections and rules and regulations are actually the biggest supporters of Uber"

            In BC the Green Party leader has been actively agitating for the gov't to allow Uber. Sensibly, the new NDP gov't has been delaying a decision. One can hope.

      2. nematoad
        Unhappy

        Re: Rotten to the core

        "...and yet the current employees have acquiesced, and continued to work there. What does that tell us?"

        That these people need a wage to put food on the table, pay the mortgage etc.

        Do you really hate Uber so much that you want to punish everyone connected with this rotten organisation? That's unjust and unfair. Like every human organisation there will be good people and bad people working there. It's just that in this instance most of the bad sorts seem to have risen to the top.

        1. Anonymous Coward
          Anonymous Coward

          Re: Rotten to the core

          Do you really hate Uber so much that you want to punish everyone connected with this rotten organisation?

          Yes and Why Not? Is the total destruction of the little people to get at the One Bad Guy at The Top not the holy principle applied to every "regime change" and "humanitarian intervention" since forever!? Why should we treat someone like Uber differently from everyone else we don't like the leadership of?

          PS:

          The minions still get "food on the table" after Uber is a smoking hole in the ground, only, they have to apply for welfare first!

        2. Warm Braw

          Re: Rotten to the core

          These people need a wage to put food on the table, pay the mortgage etc

          At what income does the argument "the ends justify the means" become invalid?

        3. JohnFen

          Re: Rotten to the core

          " Like every human organisation there will be good people and bad people working there."

          True, but this isn't an example of some "bad people". This is a bad company, designed to be such from day 1. There comes a point at which good people have to stop ignoring that they're working for such a company and leave it. With Uber, that point was years ago. I really question whether those who stick with the company can be considered "good people" as an absolute term. Not to say they're bad people -- but they are ethically compromised.

        4. Hans 1

          Re: Rotten to the core

          That these people need a wage to put food on the table, pay the mortgage etc.

          We all choose where we work, nobody comes along with a M16 shouting "Sign THAT", they don't threaten your family if you don't obey.

          Uber are scum and anybody still working there "deserves" what is to come. There are plenty of much better places to work for and it does not look like there is a shortage of job positions of various types.

          I do feel sorry for the non-employees, though, who work their balls off 24/7 for peanuts driving people around and being ripped off by scum, however, pretty sure there is a market for a competitor ... Uber has really blackened its name ...

          1. Charles 9

            Re: Rotten to the core

            "We all choose where we work, nobody comes along with a M16 shouting "Sign THAT", they don't threaten your family if you don't obey."

            No, they put price tags and taxes on everything, and no one else is willing to hire you. Ethics start going out the window when you can't put food on the table. Desperation is one of the greatest motivators for turning to crime.

    3. Just Enough

      Re: Rotten to the core

      You still don't understand. Uber is a self appointed "disruptive innovator". That means all the old boring laws and regulations don't apply to it. Stop trying to cramp its innovations! Laws are for squares and corporate suits! Get with the revolution!

    4. The Man Who Fell To Earth Silver badge
      FAIL

      Re: Rotten to the core

      Uber & the VC's behind it should be prosecuted under RICO.

      1. The Nazz

        Re: Rotten to the core

        I've often said that the executives and directors of firms acting this way should suffer criminal sanctions/prosecutions. Even more so when one of the main culprits, Joe Sullivan, is an ex federal prosecutor.

        So that's two life terms for him.

    5. unwarranted triumphalism

      Re: Rotten to the core

      You lot refuse to put your own house in order; we need competition.

      Start by cleaning up your own act.

    6. Mark 85

      Re: Rotten to the core

      In my opinion, criminality is so baked into the Uber culture that the first thing required to begin to change it is a complete replacement of the the board of directors and all of upper management.

      Possibly it should go further down the chain. There's the "shadow of the leader" thing that spreads over time. Seems to be corrupt all the way from the Board to the drives of late.

  2. redpawn

    Inside Job?

    Assurances from data thieves accepted?

    1. macjules

      Re: Inside Job?

      Wondered about that as well.

      At the time of the incident, we took immediate steps to secure ..

      That's CEO-speak for "we secured the stable door after the horse had bolted".

      1. Anonymous Coward
        Anonymous Coward

        Re: Inside Job?

        Just shoot the horse.

        1. Sir Runcible Spoon
          Devil

          Devils Advocate

          Out if curiosity, if Uber has published the breach and the miscreants had sold the data, how would the resulting situation be better for those people whose details were exposed?

          1. fajensen

            Re: Devils Advocate

            The situation is that their details are still exposed and that the thieves now have 100 kUSD also.

            1. Sir Runcible Spoon

              Re: Devils Advocate

              The details are still *at risk* of exposure, sure - but are they actually out of the box?

              1. JohnFen

                Re: Devils Advocate

                " but are they actually out of the box?"

                By definition, yes. The data is in the hands of people it should not be in the hands of.

                1. Sir Runcible Spoon

                  Re: Devils Advocate

                  By definition, yes. The data is in the hands of people it should not be in the hands of.

                  I understand what you are saying, just as I think you understand what I'm driving at, so could you lay off the pedantry for a moment and consider the actual question?

                  Yes, the data is theoretically still in the hands of the miscreants as there is no way to be certain they deleted it. However, there is also no data to suggest the purloined information is available to anyone else *other* than them (i.e. it hasn't been sold on the black market that we know of).

                  So, to re-iterate the question: If Uber hadn't paid them off and the miscreants had sold the info on to other nefarious individuals to exploit, how much better/worse off would those affected be?

                  And if anyone pedants on that I'll just give you up for a bunch of gummy-bear brains :P

                  1. JohnFen

                    Re: Devils Advocate

                    "s I think you understand what I'm driving at"

                    I wasn't trying to be pedantic. I think I simply don't understand what you were driving at. Are you suggesting that as long as the data isn't passed along to even more criminals, then all is OK? Because that's really what it sounds like.

                    To answer your question -- obviously, the more criminals who possess the data, the worse everybody is (up to a point, anyway). The point I raise is one of relevance. The data is already in the hands of criminals, so everybody is already harmed. If we assume the data stays just in the hands of the criminals who stole it (and there is literally zero reason to assume that, but let's just say for the sake of argument), the damage is still done.

                    1. Sir Runcible Spoon

                      Re: Devils Advocate

                      I'm not suggesting that there is no harm that criminals have possession of this data, I'm suggesting that it would be worse if the information were actually being used to harm those people who are in the dataset.

                      From a moral point of view, Uber have failed totally here, but from a practical point of view they may have actually done the best thing under the circumstances. That's kind of what I was getting at.

                      Like most things, it isn't always cut and dried as most people seem prepared to sacrifice principles for the sake of expediency.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: Devils Advocate

                  By definition, yes. The data is in the hands of people it should not be in the hands of.

                  Yes - Uber.

                  I suppose they haven't been involved in genocide, but it is getting to the point where you have to ask what laws they haven't broken.

    2. Adam 52 Silver badge

      Re: Inside Job?

      Why not? If you know who they are and have the ability to bring charges resulting in serious prison time if they renege on the deal it seems a fairly secure arrangement.

      This happens all the time. Muppet commits keys to github, three random people get them, one of those three uses them. Corporate security/legal team contacts that person and asks them to delete what they've found. Usually it's just someone being curious and they're happy to, or already have.

      If that person's a bit more ruthless and wants to gouge you for money, well it's probably worth it. Just paying the lawyers and CEO and all the PR people will cost more than Uber paid. It's a far cry from paying up to an anonymous ransomware author using Bitcoin.

    3. Anonymous Coward
      Anonymous Coward

      Re: Inside Job?

      They made a pinky promise to delete the data and of course thievery is such an honourable profession that they can be trusted.

    4. Adam 52 Silver badge

      thieves

      The implication that there's any I'll intent, which is causing people to use the word "thieves" is entirely a fabrication of El Reg. It's not in Uber's statement.

  3. Anonymous Coward
    Anonymous Coward

    Wonder if it might be late enough and in the spirit of El Reg irreverence to misappropriate SS ranks for these individuals....

    Copy might read then something like....

    "Uberst Gruppen Fuhrer Dara Khosrowshahi today revealed hackers broke into the ride-hailing app's databases....."

    and

    "Uber Sturm Bann Fuhrer Joe Sullivan ordered that the crooks be paid off, the stolen files erased......"

    ...Godwin's Law is only breached if bring up the Bohemian Corporal and there's an outside chance they might actually be offended.

    1. Michael Thibault

      Uberst Gruppen Fuhrer Anonymous Coward, you seem peculiarly well-informed about these ranks... Won't you step into the office? We'd like to have a little chat with you. Off the record, of course.

      1. Anonymous Coward
        Anonymous Coward

        >you seem peculiarly well-informed about these ranks

        Apparently not since it appears I spelt them incorrectly - it's probably that MJB7 chap you should be worrying about - he does the umlauts and everything.

        1. Commswonk

          ...it's probably that MJB7 chap you should be worrying about - he does the umlauts and everything.

          For your future reference ü is Alt0252, or it is with Windows anyway.

          As any fule kno.

          1. stephanh

            Some points I'd like to make

            1. There was never an SS rank Übersturmbahnführer, with or without umlauts. It's all Ober-whatever, "Ober" meaning "Senior" in this context.

            2. If that was an intended part of the joke, I obviously didn't get it.

            3. There was, however, a book on the topic of the "Übermensch", namely "Also sprach Zarathustra".

            4. It was popular in some Nazi circles.

            5. Although actually *reading* it was a bit too much for the average Nazi thug.

            6. The book is mostly not about taxi driving.

            7. Although there is some stuff about camels in there.

            1. David Nash Silver badge

              Re: Some points I'd like to make

              2. Of course it was part of the joke. It's a story about Uber (no umlaut).

            2. Anonymous Coward
              Anonymous Coward

              Re: Some points I'd like to make

              >There was, however, a book on the topic of the "Übermensch", namely "Also sprach Zarathustra".

              To be honest you're not selling it all that well - any relation to that amazing Deodato track which was shamelessly ripped off by Sträüss for his 2001 soundtrack?

    2. MJB7

      Re: SS ranks

      Aaargh! What's with all the random spaces and capital letters in the middle of perfectly good German words: "Oberstgruppenführer" and "Ubersturmbannführer" (or if you can't do umlauts, at least "Oberstgruppenfuehrer" and "Ubersturmbannfuehrer")

      1. graeme leggett Silver badge

        Re: SS ranks

        Shouldn't it be in italics as well ?

        Bitte schon

      2. Solmyr ibn Wali Barad

        Re: SS ranks

        Jawohl, Herr Oberhurenjägerführer!

      3. Michael Thibault

        Re: SS ranks

        I wondered about there being no words with camel-case, so just did a copy-pasta. I've returned to raid the pantry and, fortunately, there's new intelligence. Thanks for the tips MJ.

  4. Anonymous Coward
    Anonymous Coward

    'the intruders accessed cloud-hosted data stores'

    Welcome to CloudFog - Cyberpunk - Cyberwar 101 - First Edition!

    Now tell that to shareholders who let corporations migrate to Cloud.

    1. Anonymous Coward
      Anonymous Coward

      Re: Now tell that to shareholders who let corporations migrate to Cloud.

      It's true. No locally stored data has ever been compromised, just cloud stuff. How could people be so stupid as to think that a global corporation could manage a data centre better than my mate Terry does ours?

    2. Pen-y-gors

      Re: 'the intruders accessed cloud-hosted data stores'

      The incident did not breach our corporate systems or infrastructure.

      Yes it did - regardless of whether you store data on a USB stick, a networked server or in the cloud, they're all part of your corporate systems and infrastructure!

  5. Michael Thibault

    "putting integrity at the core of every decision we make"

    And mellifluous lies on the sleeve of your every public declaration?

    It's déjà-vu 2.0.

    1. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    No cards stolen?

    Wonder if this is related though: http://www.channelnewsasia.com/news/singapore/uber-users-in-singapore-charged-for-phantom-rides-overseas-9423624

    1. Mark 85

      Re: No cards stolen?

      And then there's this: https://www.aol.com/article/finance/2017/11/21/uber-riders-are-again-getting-charged-thousands-of-dollars-for-trips-they-didnt-take/23284245/ which seems to be ignored. Are these related or separate problems?

      1. Pen-y-gors

        Re: No cards stolen?

        Quite probably separate incidents. Dodgy drivers who note the card details? Sexual assault isn't all they get up to.

        The only time I've had a card scammed involved a taxi (pre-Uber days). Used my online card to order some spare parts for a kettle, didn't come, cancelled order. Few weeks later I apparently used the card to pay £60 for a taxi somewhere in Kent. Hadn't been there for years! Obviously got a refund. Obviously reported details to Plods. Obviously they did nothing.

  7. This post has been deleted by its author

  8. Anonymous Coward
    Anonymous Coward

    Schwarzbraun ist die Haselnuss

    I am a little confused. !!!

    Do Uber have a secret 'ODESSA file' containing the names of influential people ??? :)

    They seem to be able to do anything and admit anything (no matter how late) and get no real kick back.

    Can you imagine any other company that could get away with so much and still survive.

    There may be more to this 'Uberst Gruppen Fuhrer' idea than you think !!! :)

    Cue rousing chorus of 'Schwarzbraun ist die Haselnuss' ....... all together now !!! :)

  9. Anonymous Coward
    Anonymous Coward

    D I S R U P T I O N

    Sucks eh?

    1. Anonymous Coward
      Anonymous Coward

      Re: D I S R U P T I O N

      It seems Uber, AWS and others disrupt in the same way communism and fascism disrupted the 20th century.

      1. Paul 195

        Re: D I S R U P T I O N

        As far as I know, AWS aren't engaged in the kind of systematic law breaking Uber have been. Only the corporate tax avoidance practiced by all the global tech elite. Seems harsh to say they're as bad as Uber.

        1. Anonymous Coward
          Anonymous Coward

          Re: D I S R U P T I O N

          AWS aren't engaged in the kind of systematic law breaking Uber have been. Only the corporate tax avoidance practiced by all the global tech elite.

          Far and away past time we stopped allowing this kind of wholesale corporate tax avoidance.

          If your average hard working joe did the same, there'd be little or no public services or civilisation whatsoever, and he'd find his life full of government interference if he tried, most certainly thought of as a criminal.

          1. Adam 52 Silver badge

            Re: D I S R U P T I O N

            "Only the corporate tax avoidance practiced by all the global tech elite."

            Amazon generally avoid tax by reinvesting pretty much all of their profit. And by not making that much profit, relatively speaking.

            Yes there's the royalty payments dodge used to move money from the EU to US without paying EU tax, but that's small fry ($250m), again relatively.

            Google, Facebook and Apple don't reinvest in the same way and generate huge amounts of cash which they then attempt to launder through various corporate structures and jurisdictions.

        2. John Brown (no body) Silver badge

          Re: D I S R U P T I O N

          "Only the corporate tax avoidance practiced by all the global tech elite"

          FTFY, or do you think it's only tech companies doing it?

  10. Haku

    I'm sure MoonPig have an appropriate "Sorry we lost control of our data on you and were blackmailed into handing over $100k to stop them spreading it, over a year ago" card for this occasion they can send out to everyone...

    1. Dan 55 Silver badge
  11. Anonymous Coward
    Anonymous Coward

    I'm glad that I never used Uber.

    I've driven with Lyft a couple times, I'll stick with that.

  12. Lysenko

    To be fair (?!) ...

    ... there is a bigger issue in play here than routine Uber shysterism,

    accessed user data stored on a third-party cloud-based service that we use

    ... and there it is. Admittedly, the Amazon S3 user interface can be viciously user-hostile in places, but the real issue is that they were offloading unencrypted, personally identifiable data into a "cloud" in the first place. In cases like Equifax the miscreants have to go to the trouble of spearfishing the target, but these passive (or more accurately, actively stupid) leaks almost invariably have a cloud (usually AWS) at the core.

    GDPR should have been worded to explicitly outlaw the transmission and storage of unencrypted personal data outside of a company controlled network. S3 makes a perfectly good 21st-century tape cupboard for storing offsite encrypted backups, but for "live" data it is an accident waiting to happen (over and over again).

    1. Adam 52 Silver badge

      Re: To be fair (?!) ...

      "GDPR should have been worded to explicitly outlaw the transmission and storage of unencrypted personal data outside of a company controlled network"

      So you're saying that unencrypted files of user data on corporate laptops is OK?

      Or on department file servers?

      Sounds a lot like you're responsible for the NHS network!

      In this particular example it doesn't matter a jot whether the data was encrypted or not - s3 offers server side encryption that would satisfy your rule and it may well have been enabled. Wouldn't affect the outcome at all.

      Legislation should never mandate a technical approach, it should define requirements. Otherwise it stifles progress and just invites stupid implementation.

      1. Charlie Clark Silver badge

        Re: To be fair (?!) ...

        So you're saying that unencrypted files of user data on corporate laptops is OK?

        No, he didn't say that.

      2. Lysenko

        Re: To be fair (?!) ...

        So you're saying that unencrypted files of user data on corporate laptops is OK?

        Nope.

        Or on department file servers?

        Yep. If the server is firewalled appropriately.

        In this particular example it doesn't matter a jot whether the data was encrypted or not - s3 offers server side encryption that would satisfy your rule and it may well have been enabled. Wouldn't affect the outcome at all.

        It most certainly would because it was obviously possible to decrypt the data merely by having the S3 login credentials. Break into our S3 buckets and you'll find dozens of 1GB chunks of AES encrypted backup files which not even I know the decryption key for (because it's too big and lives on three USB drives kept in safes in three different cities). If you want to get at decrypted data you either break AES, learn burglary and safecracking, or figure out a way to Equifax our internal network.

        Putting customer data on S3 in the manner you're suggesting is tantamount to allowing dial up access to internal systems protected by nothing more than username/password login credentials - essentially the same (lack of) security as GMail.

  13. Kevin McMurtrie Silver badge

    Thanks much

    Can I forward all my botnet spam to Uber to thank them for funding criminals?

  14. Kirk Northrop

    "The incident did not breach our corporate systems or infrastructure."

    Many startups don't have "corporate systems or infrastructure" outside of AWS and GitHub. This isn't IBM with a huge worldwide network in their own data centres. So considering they got access to both, it suggests that they did...

  15. lglethal Silver badge
    Thumb Down

    Just for a bit of extra info

    The 600k Uber Drivers whose data was stolen may receive Credit Monitoring Services, the 57 Million Users whose data was stolen will not.

    They really care about their customers, dont they?

    1. Prst. V.Jeltz Silver badge

      Re: Just for a bit of extra info

      "putting integrity at the core of every decision we make"

      Thats going to be quite a shift in direction for them!

    2. Anonymous Coward
      Anonymous Coward

      Re: Just for a bit of extra info

      Because their customers are the drivers. The passengers are just goods in transit that allow them to sell their service to the drivers.

      Of course all that data is useful too.

    3. rmason

      Re: Just for a bit of extra info

      @lglethal

      The drivers are Ubers customers.

      The people who ride in their cars are the customers of those drivers.

      That's core to their model, otherwise they'd have to treat their "definitely not employees", as employees. That's expensive, and therefore a bad thing.

      If the people taking rides were the customers, then Uber would be a taxi company, and have to comply with all those pesky regulations and rules. See above. Expensive. Bad.

    4. Anonymous Coward
      Joke

      Re: Just for a bit of extra info

      >The 600k Uber Drivers whose data was stolen may receive Credit Monitoring Services, the 57 Million Users whose data was stolen will not.

      >They really care about their customers, dont they?

      Ah, but it's okay as these people are already getting free credit monitoring services courtesy of the Experian breach.

  16. Anonymous Coward
    Anonymous Coward

    "I recently learned that in late 2016"

    I've just turned on my patented bullshit detector and it has gone all the way up to 11!

    Nice to know a company such as Uber can make payments of 100k without the board knowing, that must be the norm then and they don't have the standard sign off processes for payments that every other f*cking company on the planet follow.

    1. GruntyMcPugh Silver badge

      Re: "I recently learned that in late 2016"

      So they have an "H,B, 'n H" cash tin,.... 'Hookers, Blow, 'n Hush money". Ah, and "OMRoRV",... I'll let peeps figure that one out.

    2. Gotno iShit Wantno iShit

      Re: "I recently learned that in late 2016"

      Nice to know a company such as Uber can make payments of 100k without the board knowing, that must be the norm then and they don't have the standard sign off processes for payments that every other f*cking company on the planet follow.

      Dara Khosrowshahi joined uber as CEO in August 2017. Travis Kalanick the founder and CEO of this nest of vipers at the time of the breach & coverup certainly did know.

      I do so hope that the authorities hold the individuals accountable and not the company

    3. Anonymous Coward
      Anonymous Coward

      Re: "I recently learned that in late 2016"

      Yep, they are incompetent. Why would it take that long for any professional organisation to find out?

    4. rmason

      Re: "I recently learned that in late 2016"

      The board knew full well.

      They just didn't think it important that the new CEO should know, because they know he would then act as the law dictates and disclose it.

      1. Sir Runcible Spoon
        Facepalm

        Re: "I recently learned that in late 2016"

        Didn't anyone else read the bit where they disguised this payoff as a bug-bounty, along with all the relevant NDA's etc.?

    5. midcapwarrior

      Re: "I recently learned that in late 2016"

      I'm guessing that 100K was the magic number that required board approval.

      Or the total was 100K but it was broken into multiple payments to stay below the reporting requirements.

  17. Roj Blake Silver badge

    "The incident did not breach our corporate systems or infrastructure"

    I doesn't matter if you own the server or if you're renting it. If it's got your stuff on it, it's your infrastructure.

    1. GruntyMcPugh Silver badge

      Re: "The incident did not breach our corporate systems or infrastructure"

      Yup, and what I really don't get here, is leaving the S3 creds hardcoded,.... I've played with accessing our Amazon S3 bucket using Powershell, ... first thing that struck me was that leaving the creds hardcoded was a bad idea, so used include files. You put these somewhere different, like a folder called 'NO_Upload' which isn't a sub folder of where your code is.

      1. Alistair
        Windows

        Re: "The incident did not breach our corporate systems or infrastructure"

        what was that thing again .... oh .gitignore

  18. AbsolutelyBarking
    FAIL

    Private sector fail

    This is a great example of why we don't want monopoly control or private sector domination of any particular market.

    We should have an open access transport platform that any provider can tap into. Run for the community rather than the 0.1% mega wealthly owners/shareholders. However HMGov probably won't mandate this because this type of initiative won't pay into their party coffers.

    See https://www.crowdfunder.co.uk/faircab/ or http://libretaxi.org/

    And "unencrypted data". Really? In 2017? Words fail me....

  19. Anonymous Coward
    Anonymous Coward

    What's in a name?

    They're not called Uber for nothing !

  20. wolfetone Silver badge

    I wonder if all those in London moaning about TfL's decision to not award Uber a license are still moaning about it?

    Their attitude towards their employees was bad, but their attitude towards the data of their customer is pure disgusting. The hackers got the data, but Uber have their word they just deleted it for $100,000? Bullshit.

    1. David Nash Silver badge
      Facepalm

      "I wonder if all those in London moaning about TfL's decision to not award Uber a license are still moaning about it?"

      They probably are, because with Uber they can use an app and it's cheaper than a taxi. What's not to like?

      In fact they are probably saying "this happened last year and nothing bad happened, get over it"

  21. Tony W

    Learn from our mistakes, you bet.

    They always say this and I always laugh.

    The cover-up was no mistake, it was clearly intentional. Being found out was a mistake that I'm sure they'll try to learn from.

    The whole episode confirms that white collar crime pays, and part of the reason is that companies will pay criminals to avoid big embarrassment. It's not a new lesson but I suppose there will always be some new people learning it.

    Apart from that, surely it's a bit naive to suppose that criminals will destroy the data just because you've given them some money.

    1. Charles 9

      Re: Learn from our mistakes, you bet.

      Not necessarily. At least SOME honor is in store, or if the criminals renege, then the next company to get blackmailed like this may not be willing to pay.

  22. Milton

    You could knock us down with a feather ...

    You could knock us down with a feather ... because we are all SO surprised that Uber turns out to be a bunch of scummy, greedy, unprincipled liars.

    Still, Uber's constant haemorrhage of dishonest, avaricious, amoral, disgraced executives means there'll be a plentiful supply of exactly the kind of people suited to Congress.

  23. Aladdin Sane

    Uber caught doing something shitty

    The day must end in a "Y".

    1. Charles 9

      Re: Uber caught doing something shitty

      Then they'd be in pretty big trouble in Spanish-speaking countries, then, since NONE of the days there end in "y": only in "s" or "o".

  24. ukgnome

    How are these idiots still a thing.

    worst company ever!

  25. JimmyPage Silver badge
    Megaphone

    Interesting distincntion they make ....

    between "corporate" data - which we are assured WASN'T affected, and "customer data" (i.e. the untermensch) which was , buy hey: who cares ?

  26. Anonymous Coward
    Anonymous Coward

    There's a potentially bigger issue here for Kalanick......

    as part of any fundraising there is something called 'Material Issues' that have to be declared by certainly the Chief Executive and Chief Financial Officer and often by other senior management as well.

    This declaration is incorporated into the Fundraising Subscription Agreement by the investors as the basis on which they have invested.

    Something like hiding a payment to cover up a criminal act (security breaches are required to be declared in a number of US States and European Countries) could well make Kalanick personally liable for misleading the investors.

    What's the potential upshot? If the other investors were so inclined they could look to bring an action against Kalanick that could in due course lead to his shares in Uber being either diluted or revoked to the point of being worthless.

  27. ecofeco Silver badge

    How the fuck are they still in business?

    See title.

  28. Tigra 07
    Mushroom

    As a regular Uber user...

    Fine the bastards. Fine them high, then fine them some more. Make it really hurt. Oblitterate their finances. Fine them so badly they're still suffering in a few years from now.

    The BBC is talking about a £10 million fine. No. Fine them a few Billion. They knew what was happening was wrong and still paid a ransom and covered it up.

    Make the fine so high that I have to use regular rip-off taxis again.

    1. JohnFen

      Re: As a regular Uber user...

      "Fine the bastards."

      That's not enough. I think the only really appropriate thing to do is revoke their corporate charter. Or, failing that, revoke their licenses to operate.

      1. Tigra 07

        Re: As a regular Uber user...

        Without their license they just appeal and continue working while appeals are going through (Like now in London)

        1. Anonymous Coward
          Anonymous Coward

          Re: As a regular Uber user...

          Then make it so the injunction is in effect during the appeals process.

  29. sjsmoto

    I want any business claiming they've improved their data security and it won't happen again to store the personal bank account information for their board members and managers in this newly secured database as a way of showing their own trust in it.

  30. s. pam Silver badge
    FAIL

    More validation Uber are scum

    Never used them, now damn sure never will.

    Rotten to the crankshaft of their engine, and clearly deluded by inhaling exhaust gasses.

    1. Anonymous Coward
      Anonymous Coward

      Re: More validation Uber are scum

      So question: If you're stranded somewhere under adverse conditions (bad weather, long distance), you can't raise anyone, and you can't afford a cab to get home, how do you get home?

  31. 2Nick3

    Some wonderful quotes there.

    “I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.”

    Or mis-handled it, if you want to be more precise.

    “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

    So there is lots of learning going on at Uber, I guess.

  32. Anonymous Coward
    Anonymous Coward

    So... another hacker has all of our info...

    After equifax.. pretty sure all of the US consumer bases info is pretty much public domain.

  33. Anonymous Coward
    Anonymous Coward

    secure the data

    "we took immediate steps to secure the data"

    If someone outside your company has taken a copy of your data, then there is absolutely nothing you can possibly do any more to secure the data. Regardless of how secure you make your own copy, the other party still has theirs which they can distribute on the dark web at will.

  34. Sven Coenye
    Coat

    Inquiring minds...

    Did those two have a hack license?

    (Cuz Uber sure doesn't...)

  35. unwarranted triumphalism

    Our parents told us not to get into vehicles with strangers

    Maybe parents should now be telling children not to give away their data to strangers.

  36. hatti

    Word salad.

    While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.

    The usual and predictable get out of jail free company word salad. If Uber are putting integrity at the core of every decision, how come they refused to pay for drivers English tests because they considered them too difficult, what happened to the integrity that day.

  37. lifetime security

    Changing a company culture is not easy

    The general consensus is that it takes anywhere from 2-3 years to change a company culture. That is when the company is operating ethically but has some challenges. However, an unethical and immoral company requires many more changes. Uber will keep on disclosing many more violations. By not disclosing the breaches to the customers and drivers, Uber violated California law. There is no excuse.

  38. Phage

    I've been advising all my family against Uber for exactly their reaction to being hacked since 2015

    http://www.bbc.co.uk/news/magazine-32900600

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like