Two hackers face up to five years in prison after pleading guilty to their involvement in a scheme which saw them attempt to extort money from Uber and LinkedIn in exchange for the deletion of stolen data.
Twenty-six-year-old Brandon Charles Glover and Vasile Meacre, 23, entered guilty pleas this week at a federal court in San Jose, California in relation to the theft of records related to 57 million of Uber’s passengers and drivers.
According to the US Department of Justice, the duo stole personal information from databases on AWS cloud servers in a criminal scheme which ran from October 2016 to January 2017. They then audaciously contacted the concerned companies, claiming they had found vulnerabilities in employees’ use of the systems and demanding payment for the erasure of the confidential data.
Controversially, Uber’s security team acceded to the hackers’ demands and paid them $100,000 in Bitcoin in December 2016 to delete the data and keep the breach quiet.
After making the payments, Uber subsequently identified Glover as one of the hackers who had extorted money from them. However, rather than passing information to the authorities, Uber astonishingly met with both Glover and Meacre and convinced them to sign a confidentiality agreement with the hope that the news of the breach would not become public.
It was not until November 2017 that millions of Uber users and drivers found out their personal information had fallen into the hands of criminals.
Dara Khosrowshahi, who became CEO of Uber after the security breach and the payment to the hackers, said in November 2018 that “none of this should have happened, and I will not make excuses for it.”
At the same time, Uber’s security chief Joe Sullivan was ousted from the company alongside one other employee involved in the handling of (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Graham Cluley. Read the original post at: https://www.tripwire.com/state-of-security/featured/men-paid-100k-by-uber-to-hush-up-hack-plead-guilty-to-extortion-scheme/