Uber’s Extortion Incident: Avoiding Future Missteps and Misunderstandings

In late November 2017, Uber announced a previously undisclosed theft of data affecting roughly 57 million riders and drivers that had taken place roughly a year earlier. The ride-sharing startup said it had arranged $100,000 payment a year earlier to keep their users’ data off the internet. The ransom was routed through the company’s bug bounty vendor, HackerOne. 

Eventually, attorneys representing Uber showed up with legal documents at a trailer park in Florida and confronted a 20-year old living with his mother. The company similarly confronted his Canadian partner. Uber’s security team was additionally able to gain other, more technical assurances that the data in question was deleted. 

At the time, Uber likely reasoned that, since no data had been posted publicly or disseminated through Underground economies, there was no requirement to disclose it to regulators. 

However, a year later, the company shed the people it believed were responsible for that decision, including its widely well-regarded Chief Security Officer, Joe Sullivan, and its legal director of security and law, Craig Clark. The news reverberated throughout Silicon Valley – inviting scrutiny both from states’ attorneys general and Congress.  

The incident even reportedly caused several of Uber’s peers to take “a harder look at their bounty programs.”1 Many asked, what went wrong?

In February, Javelin sat down with the people in charge of Uber’s Vulnerability Disclosure Rewards program. In the room: the head of the company’s security and privacy communications; the product manager for the firm’s bug bounty program; and the engineering manager of Uber’s product security team.
The conversation ranged from what went wrong in the November 2016 incident to how the company operates a successful program that’s paid out more than $1.3 million to security researchers. 

Data in this report is based on information collected in a random-sample panel of 800 information technology security decision-makers, 200 of whom work in financial services. For questions answered by all 800 survey respondents, the maximum margin of sampling error is ±3.46 percentage points at the 95% confidence level. For questions answered by all 200 financial services respondents, the maximum margin of sampling error is ±6.93 percentage points at the 95% confidence level. The maximum margin of sampling error is higher for questions answered by segments of respondents.