GDT Webinar Series – How to Fail at Security? Reserve Your Spot

Hiring a hacker probably shouldn’t be part of your business plan

Hiring a hacker

By Richard Arneson

In just nine (9) short years, ridesharing company Uber has risen from a small, San Francisco-based startup to a highly disruptive, $6.5 billion juggernaut that, along with its competitor Lyft, has given over 2 million people with a car and spare time on their hands the opportunity to earn a little extra cash while shuttling riders around their fair city. But with precipitous growth often comes pain. In Uber’s case, the pain comes in the form of a FTC-mandated $148 million settlement payment resulting from the 2016 decision to cover up a security breach by co-founder and erstwhile CEO Travis Kalanick.
It’s unclear whether Kalanick knew about the plan ahead of time, but, regardless, Uber addressed the data breach that exposed the names and driver’s license numbers of over six hundred thousand (600,000) drivers and another fifty-five million (55,000,000) riders in an odd way. They hired a hacker.

The Breach

In 2016, attackers accessed Github, a site utilized by software engineers, to somehow obtain Uber’s credentials for their AWS account. Once in, the intruders secured unencrypted information about their drivers and riders, including email addresses, phone numbers and driver’s licenses. But this wasn’t Uber’s first security breach rodeo. Two (2) years earlier, in 2014, a similar breach resulted in FTC-mandated sanctions. It’s believed that the 2014 incident is what led several at Uber to decide that handling the latest breach on its own, without public disclosure, sounded like a good plan. It wasn’t. And it’s why they had to write the $148,000,000.00 check made payable to the FTC.

The Uber Bug Bounty Program

Forty-eight (48) states have some type of legislation that requires companies to reveal to consumers that a data breach has occurred. While Uber eventually got around to telling the public, they did so after first trying to repair the damage with this, their half-baked plan—they paid a hacker $100,000 through Uber’s bug bounty program, which rewards any hacker who discovers and discloses software flaws. Oh, boy.
In this case, the hacker-for-hire’s job was to delete the affected data, sign a nondisclosure agreement to keep mum, and collect a cool hundred grand. The incident wasn’t reported until a year later by new CEO Dara Khosrowshahi, who declared the handling of the incident a failure, then fired two (2) employees who had signed off on the $100k payment.
After an investigation by state attorneys general determined that Uber had violated data breach notification laws, the FTC then conducted their investigation, which concluded in April of this year.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct,” said acting FTC chairman Maureen Ohlhausen. She announced that this new agreement with Uber is “designed to ensure that Uber does not engage in similar misconduct in the future.”
As a result of the FTC’s investigation, Uber will have to submit to regular privacy audits for the next twenty (20) years. And if they fail to notify the FTC of any security breaches in the future, or if they engage in or provide misleading information about how they monitor access to consumers’ personal information, they could face significant civil penalties, ones that’ll make $148 million look like the change you find between the sofa cushions.

Got questions? Call on the Security experts

To find out more about the many threats that may soon target, or are currently targeting, your organization, contact GDT’s tenured and talented security analysts at From their Security- and Network Operations Centers, they manage, monitor and protect the networks of some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.

Read more about network security here:
Gen V
Sexy, yes, but potentially dangerous
Tetration—you should know its meaning
It’s in their DNA
Rx for IT departments—a security check-up
When SOC plays second fiddle to NOC, you could be in for an expensive tune
How to protect against Ransomware


Share this article

You might also like:

AI and Data Security

The advent of artificial intelligence (AI) brings transformative potential across industries while also introducing significant data security challenges. As AI systems become integral to operational and decision-making processes, safeguarding sensitive information against sophisticated threats is paramount. This exploration sheds light on the complexities of AI and data security and proposes

Transport layer security (TLS)

Transport layer security (TLS) is one of the most common tools for keeping users safe on the internet. When automated, TLS certification management can help organizations ensure more reliable and consistent use of TLS, reducing the need for human intervention and risk of human error. In fact, over the years,


As the head of GDT’s security practice and an industry veteran, Jeanne Malone and her team help customers worldwide advance their cybersecurity posture. One of the biggest cybersecurity game-changers is artificial intelligence (AI). We asked Jeanne to weigh in on leveraging AI and machine learning in cybersecurity to improve intrusion