Uber’s Extortion Incident: Avoiding Future Missteps and Misunderstandings
- Date:May 09, 2018
- Author(s):
- Sean Sposito
- Test
- Report Details: 12 pages, 4 graphics
- Research Topic(s):
- Cybersecurity
- Fraud & Security
- PAID CONTENT
Overview
In late November 2017, Uber announced a previously undisclosed theft of data affecting roughly 57 million riders and drivers that had taken place roughly a year earlier. The ride-sharing startup said it had arranged $100,000 payment a year earlier to keep their users’ data off the internet. The ransom was routed through the company’s bug bounty vendor, HackerOne.
Eventually, attorneys representing Uber showed up with legal documents at a trailer park in Florida and confronted a 20-year old living with his mother. The company similarly confronted his Canadian partner. Uber’s security team was additionally able to gain other, more technical assurances that the data in question was deleted.
At the time, Uber likely reasoned that, since no data had been posted publicly or disseminated through Underground economies, there was no requirement to disclose it to regulators.
However, a year later, the company shed the people it believed were responsible for that decision, including its widely well-regarded Chief Security Officer, Joe Sullivan, and its legal director of security and law, Craig Clark. The news reverberated throughout Silicon Valley – inviting scrutiny both from states’ attorneys general and Congress.
The incident even reportedly caused several of Uber’s peers to take “a harder look at their bounty programs.”1 Many asked, what went wrong?
Methodology
In February, Javelin sat down with the people in charge of Uber’s Vulnerability Disclosure Rewards program. In the room: the head of the company’s security and privacy communications; the product manager for the firm’s bug bounty program; and the engineering manager of Uber’s product security team.
The conversation ranged from what went wrong in the November 2016 incident to how the company operates a successful program that’s paid out more than $1.3 million to security researchers.
Data in this report is based on information collected in a random-sample panel of 800 information technology security decision-makers, 200 of whom work in financial services. For questions answered by all 800 survey respondents, the maximum margin of sampling error is ±3.46 percentage points at the 95% confidence level. For questions answered by all 200 financial services respondents, the maximum margin of sampling error is ±6.93 percentage points at the 95% confidence level. The maximum margin of sampling error is higher for questions answered by segments of respondents.
Learn More About This Report & Javelin
Related content
Threat Intel Odyssey: Mapping the Convergence of Social Cyber Risks
Successful sharing of threat intelligence must move beyond the borders of traditional financial services and governments to include social media, a breeding ground for cybercrime a...
2024 Cyber Trust in Banking Scorecard
In this scorecard, Javelin evaluates leading financial institutions’ level of cyber trust based on key components: privacy, cybersecurity, education and resolution support. Shiftin...
Cyber Trust in Banking: Privacy Path to Maturity
For consumers, privacy is the fundamental determinant of cyber trust. The degree to which financial institutions protect consumer privacy and enhance authentication and identity ve...
Make informed decisions in a digital financial world