Hackers plead guilty to breach that Uber covered up

Remember when Uber was hacked but paid the hackers $100,000 in hush money to delete the data and zip their lips about it?

The two guys who did the hack, they’re going down.

Brandon Charles Glover, 26, of Florida, and Vasile Mereacre, 23, of Toronto, each pleaded guilty on Wednesday in a San Jose court house in California to one charge of conspiracy to commit extortion involving computers. Specifically, they pleaded guilty to stealing companies’ personal information that was stored on Amazon Web Services from October 2016 to January 2017 and then demanding money to destroy their copies of the data.

They each face up to five years in prison and a fine of $250,000 and will be sentenced in March 2020. Maximum sentences are rarely handed out.

With the guilty pleas, Uber’s elaborate coverup has been dragged back into the limelight.

The data of 57 million drivers and customers was stolen in the 2016 data breach. Uber not only kept the breach secret from the victims, it also paid $100,000 in hush/delete-the-data money, as in, $50,000 to each of the two crooks.

Uber paid off crooks whose identities it had already figured out

This was after the company had already discovered Glover’s true identity, sent an Uber rep down to Florida to meet with him and get him to sign a nondisclosure agreement in his true name on 3 January 2017, and, two days later, likewise sent a rep to a restaurant in Toronto to meet with Mereacre and get him to sign an NDA in his real name, too.

It wasn’t until 10 months later, in November 2017, that Uber told riders and drivers that it had lost control of their personal information and that it had fallen into the hands of crooks. The company not only hid the breach from those affected, but also from the Federal Trade Commission (FTC) while the watchdog was investigating Uber over a separate database hack, from 2014.

Both the 2014 and the 2016 hacks were made possible by the same exact security fail: in both breaches, Uber’s engineers left the keys to the castle – a key to Amazon Web Services S3 cloud servers – sitting around, publicly available, on GitHub.

According to the Department of Justice (DOJ), they actually used their success with Uber as a selling point. When trying to extort the LinkedIn-owned education company Lynda, the hackers said:

[P]lease keep in mind, we expect a big payment as this was hard work for us, we already helped a big corp which paid close to seven digits, all went well.

LinkedIn didn’t play ball. Instead, it tried to identify the extortionists and called in the cops.

US Attorney David Anderson was none too impressed by Uber’s attempt to sweep the attack under the rug. From a statement:

Companies like Uber are the caretakers, not the owners, of customers’ personal information.

What gets stolen in a computer extortion belongs to your neighbors, not to yourselves. Don’t be so concerned with your image or reputation. Be concerned with the real losses others have suffered. Report the intrusion promptly. Cooperate with law enforcement.