Uber: No Evidence of Sensitive Data Breach in Security Incident
Uber’s computer network was hacked on Thursday, leading the ride-hailing giant to take several internal communications and engineering systems offline as it investigated the hack, as reported earlier by the New York Times.
Uber said its investigation was ongoing Friday at 10:30 a.m. PT, but said there was “no evidence that the incident involved access to sensitive user data.”
Uber, Uber Eats, Uber Freight and Uber Drive were all up and running on Friday, and Uber is now bringing its internal software tools back online.
Uber had said in an earlier statement that it was investigating a cybersecurity incident and was in contact with law enforcement officials. The The FBI would help Uber investigate The Incident. Uber did not immediately respond to a request for comment on the matter.
The company had instructed employees on Thursday not to use the workplace messaging app Slack, the report said, citing two employees. Other internal systems were also inaccessible, the Times reported.
According to the Times, shortly before Slack was taken offline on Thursday afternoon, Uber employees received a message on the app that read, “I am announcing that I am a hacker and that Uber suffered a data breach”. The message also listed several internal databases that the hacker said had been compromised, the Times reported.
The hacker, who said he was 18, said he was motivated by what he called weak security and provided screenshots of Uber’s internal systems to prove his access, the Times reported. .
The hacker sent the message through the app after compromising a worker’s account, Uber told The Times. The hacker was apparently also able to access other internal systems, posting an explicit photo on an internal employee information page, the newspaper reported.
Uber has already been hacked. In 2018, he agreed to a $148 million settlement for a 2016 data breach that the ridesharing service did not disclose. Hackers were able to steal data on 57 million drivers and passengers, including personal information such as names, email addresses and driver’s license numbers.
Rather than publicly disclose the hack, which companies are required to do within a certain number of days in states like California, Uber paid the hackers $100,000 to delete the information and had them sign a no-claims agreement. -disclosure.
Joe Sullivan, who served as Uber’s chief security officer from April 2015 to November 2017, was indicted in 2020 for allegedly covering up the breach. Sullivan described the payment as a bug bounty reward, which companies often pay to researchers who discover security flaws, but prosecutors said the payment was more of a cover-up than a bounty reward.