This article was published on November 1, 2019

Uber used Bitcoin to pay $100K hacker ransom in 2017, court docs confirm


Uber used Bitcoin to pay $100K hacker ransom in 2017, court docs confirm

Uber used Bitcoin to pay hackers who held sensitive data for ransom, court documents have confirmed.

As a result, two men pleaded guilty to charges of computer hacking and extortion, bringing a lengthy legal saga that embroiled Uber and LinkedIn-owned training site Lynda.com in costly data breaches to a close.

To access the companiesservers, the hackers gained access to customer information by using Amazon Web Services logins belonging to Uber and Lynda.com employees.

They then contacted both companies to extort them for hundreds of dollars‘ worth of Bitcoin.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

At the time, Uber agreed to pay $100,000 in the cryptocurrency. The payment was processed via the tech giant’s HackerOne bug bounty program, and Uber required the hackers to sign a confidentiality agreement preventing them from using the data and publicly disclosing the security breach.

Vasile Mereacre, from Canada, and Brandon Glover, from Florida, were indicted last year after stealing information of 55,000 accounts from Lynda.com, which unlike Uber, refused to pay.

It was then revealed that both men were also the perpetrators of a 2016 Uber breach that compromised the data of 57 millions users.

Uber kept the security breach private for over a year, until November 2017,  when its new leadership became aware of the cover-up and decided to go public.

As a result, the company received a hefty $148 million fine and had to agree to 20 years of privacy audits.

Uber also fired its chief security officer Joe Sullivan, who orchestrated the payments and failed to alert company users about the security breach.

The New York Times says both men, who are due to be sentenced next year, could face a maximum sentence of up to five years in federal prison and could be fined up to $250,000.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with