Late last year, Uber quietly paid hackers $100,000 late last year to delete personal data the cyber criminals had stolen from 57 million riders and drivers - and the rideshare giant said it feels "assured" the hackers kept their word. But experts say it is impossible to know whether copies could exist.
In Oct. 2016, after learning of the breach, Uber's team tracked down the hackers and paid them to destroy the data, which included names, phone numbers, and email addresses for 50 million riders globally and 7 million drivers in the United States. Of those drivers, 600,000 also had their driver's license numbers exposed.
An Uber spokesperson declined to comment on why the company was confident the personal records were destroyed, but the New York Timesreported that as part of the deal, the hackers agreed to sign non-disclosure agreements.
The Integrity of Uber
Bargaining with hackers over ransomware - when cyber thieves lock up your files and hold them hostage for money or Bitcoin - is incredibly common, according to experts. However, the security experts NBC News spoke with said that although there are some unanswered questions, Uber's tactic of negotiating with criminals and then not publicly disclosing the breach is highly unusual.
"It is all but desperation and a leap of faith and keeping one's fingers crossed that the criminals are people of their word," Robert Siciliano, CEO of IDTheftSecurity.com, told NBC News. "When engaging criminals in a demand of extortion, an individual or company would be doing this as a last resort because they didn't protect their data in the first place, they hadn't backed up the information, or the data that could be leaked was disparaging."
Uber CEO, Dara Khosrowshahi Responds
While Uber CEO Dara Khosrowshahi said the breach - which did not occur under his tenure - should have been disclosed, Uber does have one thing going for it that may bring some peace of mind: time.
Over the past year, there haven't been any reported instances of fraud or misuse tied to the breach, according to Khosrowshahi.
The company is also flagging affected accounts for additional fraud protection and are offering free credit monitoring and identity theft protection services to the U.S.-based drivers who had their driver's license numbers exposed.
But Can Uber be Trusted
But the disclosure - one year later - is fueling even more questions about why Uber wanted to cover it up and whether the $100,000 payout could incentivize more hackers to act.
"The more criminals are incentivized, it makes our job harder," Michael Reitblat, an online fraud expert and CEO of fraud protection company Forter, told NBC News. "We shouldn't be negotiating with cyber criminals." We certainly agree that no criminal should be given incentives. One would have to think that Uber also stood to gain something in this agreement. Otherwise why would they pay the hackers and not publicly disclose the hack. This is in direct violation of US-Cert Federal laws that exist to protect consumer personal information from companies who have been trusted to have access to it strictly for the purpose of purchasing its services.
Other Compnay's Use Bug Bounty Programs
One way to positively incentivize hackers is through bug bounty programs, which encourage ethical hackers to help find flaws in a company's website or product. A growing number of companies, from Uber to Tesla and Apple, are using bug bounties as another layer of security.
Source: NBC News