Uber paid off their hackers — and they’re far from the only ones

By Peter Holley November 22, 2017

It may have been the most arresting detail in a story full of them: Not only did Uber allow hackers to make off with the personal data of 57 million customers and drivers, but the ride-hailing company also had paid those same criminals $100,000 to delete the data and keep their mouths shut about the entire episode.

If it sounds like an old school crime wrapped in a new school mold — blackmail for the digital era — that’s because it is, according to cyber security experts. The only new thing about hacks and subsequent hush money is the belief among cyber security professionals that similar payments are occurring with increasing frequency.

“In the security practice, paying a ransom is usually cheaper than paying the price of corrective actions after a successful breach,” Csaba Krasznay, a security evangelist at Balabit.com said, referring to the price of public and regulatory scrutiny that could come from announcing a breach.

•••••

“Based on the rumors, more and more companies have their own Bitcoin wallets for such cases,” he added.

•••••

The FBI has said that ransomware payments — often made after malware arrives via email — have increased dramatically in recent years, “approaching $1 billion annually.”

The companies who have paid aren’t limited to the tech world. Last year, Hollywood Presbyterian Medical Center in Los Angeles paid hackers nearly $17,000 after their network was infiltrated and disabled. And this year there were reports that many companies paid ransom to the hackers behind the infamous WannaCry attack.

Uber officials were also willing to pay after it became clear last year that two attackers had accessed names, email addresses and phone numbers of 57 million people around the world, according to a statement released by the company’s chief executive Dara Khosrowshahi. The driver’s license numbers of about 600,000 U.S. drivers were also included. For their role in keeping the breach quiet, Uber removed Joe Sullivan, the company’s chief security officer, as well as a deputy who worked with him, according to Bloomberg.

•••••

But Jarae and other experts agreed that by agreeing to pay the ransom, Uber and other companies are putting all companies — and the public data that they rely on — at greater risk.

“Hackers talk to each other,” Mark Orlando, the chief technology officer for cyber services at Raytheon. “By staying silent, Uber has empowered them for a year, where they could have brought this into the light, raised public awareness of the threat and made some good come of this. Instead, the company gave its attackers exactly what they wanted — a lot of money, and a reason to try this again and again.”

There’s another reason to disclose a hack, experts said: Regulators can slap companies with millions in fines if they fail to notify the proper authorities.

•••••