It may have been the most arresting detail in a story full of them: Not only did Uber allow hackers to make off with the personal data of 57 million customers and drivers, but the ride-hailing company also had paid those same criminals $100,000 to delete the data and keep their mouths shut about the entire episode.
If it sounds like an old-school crime wrapped in a new-school mold — blackmail for the digital era — that’s because it is, according to cybersecurity experts. The only new thing about hacks and subsequent hush money is the belief among cybersecurity professionals that similar payments are occurring with increasing frequency.
“In the security practice, paying a ransom is usually cheaper than paying the price of corrective actions after a successful breach,” said Csaba Krasznay, a security evangelist at Balabit.com, referring to the price of public and regulatory scrutiny that could come from announcing a breach. “That is why the cyber crime model works: ‘We have your data, pay us X bitcoins and we won’t publish it on the dark net.’ Or: ‘We started a DDoS attack against your service, pay Y bitcoins and we’ll stop it.’ ”
He added: “Based on the rumors, more and more companies have their own bitcoin wallets for such cases.”
Experts said there is no way to know how many companies have resorted to paying off attackers, but as the volume of cyberattacks skyrockets, they reason that so would the number of companies being forced into desperate scenarios where their data and their reputation is at stake.
The FBI has said that ransomware payments — often made after malware arrives via email — have increased dramatically in recent years, “approaching $1 billion annually.”
The companies who have paid aren’t limited to the tech world. Last year, Hollywood Presbyterian Medical Center in Los Angeles paid hackers nearly $17,000 after its network was infiltrated and disabled. And this year there were reports that many companies paid ransom to the hackers behind the infamous WannaCry attack.
Uber officials were also willing to pay after it became clear last year that two attackers had accessed names, email addresses and phone numbers of 57 million people around the world, according to a statement released by the company’s chief executive, Dara Khosrowshahi. The driver’s license numbers of about 600,000 U.S. drivers were also included. Uber removed Joe Sullivan, the company’s chief security officer, as well as a deputy who worked with him, for their role in keeping the breach quiet, according to Bloomberg.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in the statement.
Uber did not immediately respond to a request for comment about their decision to pay off hackers.
For a company like Uber, experts said, one already struggling to navigate waves of bad publicity, there may have been a few good options in the wake of last year’s attack.
“Most companies know that by paying the ransom does not necessarily mean the attack is over,” said Travis Jarae, chief executive of the research and strategy company One World Identity. “A fear of public shame, reputation loss, and potential regulatory action outweighs notification and admission of guilt.”
But Jarae and other experts agreed that by agreeing to pay the ransom, Uber and other companies are putting all companies — and the public data that they rely on — at greater risk.
“Hackers talk to each other,” Mark Orlando, the chief technology officer for cyber services at Raytheon. “By staying silent, Uber has empowered them for a year, where they could have brought this into the light, raised public awareness of the threat and made some good come of this. Instead, the company gave its attackers exactly what they wanted — a lot of money, and a reason to try this again and again.”
There’s another reason to disclose a hack, experts said: Regulators can slap companies with millions in fines if they fail to notify the proper authorities.
David Murakami Wood, a surveillance and security expert at Queen’s University, said he doesn’t have any concrete numbers, but suspects such payments “are very widespread.” For a company like Uber, he said, the reason officials should’ve avoided paying off cyber hackers is the same reason companies try to avoid paying off non-digital criminals: Because they’ll return next time asking for more.
A year later, he said, Uber finds itself even worse off than it was after the hack.
“They’re in a quite a fragile position right now,” he said. “Their business model requires them to convince cities that they should not be subject to the same kinds of regulations as conventional taxi companies, but what they’re showing is that they can’t be trusted to and can’t manage their own data. They’re unable to self-regulate, and that’s exactly what they’re telling these cities they can do.”