GDT Webinar Series – How to Fail at Security? Reserve Your Spot

Hiring a hacker probably shouldn’t be part of your business plan

Hiring a hacker

By Richard Arneson

In just nine (9) short years, ridesharing company Uber has risen from a small, San Francisco-based startup to a highly disruptive, $6.5 billion juggernaut that, along with its competitor Lyft, has given over 2 million people with a car and spare time on their hands the opportunity to earn a little extra cash while shuttling riders around their fair city. But with precipitous growth often comes pain. In Uber’s case, the pain comes in the form of a FTC-mandated $148 million settlement payment resulting from the 2016 decision to cover up a security breach by co-founder and erstwhile CEO Travis Kalanick.
It’s unclear whether Kalanick knew about the plan ahead of time, but, regardless, Uber addressed the data breach that exposed the names and driver’s license numbers of over six hundred thousand (600,000) drivers and another fifty-five million (55,000,000) riders in an odd way. They hired a hacker.

The Breach

In 2016, attackers accessed Github, a site utilized by software engineers, to somehow obtain Uber’s credentials for their AWS account. Once in, the intruders secured unencrypted information about their drivers and riders, including email addresses, phone numbers and driver’s licenses. But this wasn’t Uber’s first security breach rodeo. Two (2) years earlier, in 2014, a similar breach resulted in FTC-mandated sanctions. It’s believed that the 2014 incident is what led several at Uber to decide that handling the latest breach on its own, without public disclosure, sounded like a good plan. It wasn’t. And it’s why they had to write the $148,000,000.00 check made payable to the FTC.

The Uber Bug Bounty Program

Forty-eight (48) states have some type of legislation that requires companies to reveal to consumers that a data breach has occurred. While Uber eventually got around to telling the public, they did so after first trying to repair the damage with this, their half-baked plan—they paid a hacker $100,000 through Uber’s bug bounty program, which rewards any hacker who discovers and discloses software flaws. Oh, boy.
In this case, the hacker-for-hire’s job was to delete the affected data, sign a nondisclosure agreement to keep mum, and collect a cool hundred grand. The incident wasn’t reported until a year later by new CEO Dara Khosrowshahi, who declared the handling of the incident a failure, then fired two (2) employees who had signed off on the $100k payment.
After an investigation by state attorneys general determined that Uber had violated data breach notification laws, the FTC then conducted their investigation, which concluded in April of this year.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct,” said acting FTC chairman Maureen Ohlhausen. She announced that this new agreement with Uber is “designed to ensure that Uber does not engage in similar misconduct in the future.”
As a result of the FTC’s investigation, Uber will have to submit to regular privacy audits for the next twenty (20) years. And if they fail to notify the FTC of any security breaches in the future, or if they engage in or provide misleading information about how they monitor access to consumers’ personal information, they could face significant civil penalties, ones that’ll make $148 million look like the change you find between the sofa cushions.

Got questions? Call on the Security experts

To find out more about the many threats that may soon target, or are currently targeting, your organization, contact GDT’s tenured and talented security analysts at From their Security- and Network Operations Centers, they manage, monitor and protect the networks of some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.

Read more about network security here:
Gen V
Sexy, yes, but potentially dangerous
Tetration—you should know its meaning
It’s in their DNA
Rx for IT departments—a security check-up
When SOC plays second fiddle to NOC, you could be in for an expensive tune
How to protect against Ransomware


Share this article

You might also like:

As a global IT solutions provider, we understand that technology partnerships are absolutely crucial in our line of business. It’s fair to say that without great partners to work with, we couldn’t do what we do. It’s also fair to say that without the expertise the GDT team brings to

If you’re wondering if your organization’s ransomware defense strategy is as strong as it could be, you’re not alone. Ransomware has emerged as one of the top cybersecurity threats of 2024, impacting nearly three-quarters of organizations last year with an average cost of $4.45 million.i According to Verizon, about a

Mergers, acquisitions, and divestitures (M&A/D) offer opportunities for businesses to grow, streamline operations, and enter new markets. However, strategic planning and financial negotiations can overshadow a crucial element: information security.   This blog post dives into the critical security considerations for M&A/D activities, exploring the importance of information security, potential risks,