Two hackers face up to five years in prison after pleading guilty to their involvement in a scheme which saw them attempt to extort money from Uber and LinkedIn in exchange for the deletion of stolen data. Twenty-six-year-old Brandon Charles Glover and Vasile Meacre, 23, entered guilty pleas this week at a federal court in San Jose, California in relation to the theft of records related to 57 million of Uber's passengers and drivers. According to the US Department of Justice, the duo stole personal information from databases on AWS cloud servers in a criminal scheme which ran from October 2016 to January 2017. They then audaciously contacted the concerned companies, claiming they had found vulnerabilities in employees' use of the systems and demanding payment for the erasure of the confidential data.
Controversially, Uber's security team acceded to the hackers' demands and paid them $100,000 in Bitcoin in December 2016 to delete the data and keep the breach quiet. After making the payments, Uber subsequently identified Glover as one of the hackers who had extorted money from them. However, rather than passing information to the authorities, Uber astonishingly met with both Glover and Meacre and convinced them to sign a confidentiality agreement with the hope that the news of the breach would not become public. It was not until November 2017 that millions of Uber users and drivers found out their personal information had fallen into the hands of criminals. Dara Khosrowshahi, who became CEO of Uber after the security breach and the payment to the hackers, said in November 2018 that "none of this should have happened, and I will not make excuses for it." At the same time, Uber's security chief Joe Sullivan was ousted from the company alongside one other employee involved in the handling of the incident. However, Uber was not the only target of Glover and Meacre's extortion plot. At the same time as the Uber extortion, the duo also managed to steal data related to 90,000 accounts at Lynda.com, the online learning company owned by LinkedIn, from an AWS server. Perhaps emboldened by their success with Uber, the duo emailed LinkedIn from a ProtonMail account, demanding a significant financial payment for the secure deletion of the data. Attached to a sample of the records they had stolen was a note which read in part:
Please keep in mind, we expect a big payment as this was hard work for us, we already helped a big corp which paid close to seven digits, all went well.
LinkedIn's security team, however, was a lot less happy to play ball than Uber, refusing to pay their extortionists. Instead, they reset passwords of affected accounts.
U.S. Attorney David Anderson strongly criticised Uber for failing to alert the authorities about the security breach and loss of so much personal data that might have been exploited by identity thieves and fraudsters:
Companies like Uber are the caretakers, not the owners, of customers' personal information.
Uber has since agreed to pay $148 million as a settlement for its concealment and poor handling of the data breach. Sentencing of Meacre and Glover has been scheduled for March 18 2020, where they could be punished with a five-year prison sentence and a $250,000 fine.