Uber used Bitcoin to pay hackers who held sensitive data for ransom, court documents have confirmed.
As a result, two men pleaded guilty to charges of computer hacking and extortion, bringing a lengthy legal saga that embroiled Uber and LinkedIn-owned training site Lynda.com in costly data breaches to a close.
To access the companies‘ servers, the hackers gained access to customer information by using Amazon Web Services logins belonging to Uber and Lynda.com employees.
They then contacted both companies to extort them for hundreds of dollars‘ worth of Bitcoin.
At the time, Uber agreed to pay $100,000 in the cryptocurrency. The payment was processed via the tech giant’s HackerOne bug bounty program, and Uber required the hackers to sign a confidentiality agreement preventing them from using the data and publicly disclosing the security breach.
Vasile Mereacre, from Canada, and Brandon Glover, from Florida, were indicted last year after stealing information of 55,000 accounts from Lynda.com, which unlike Uber, refused to pay.
It was then revealed that both men were also the perpetrators of a 2016 Uber breach that compromised the data of 57 millions users.
Uber kept the security breach private for over a year, until November 2017, when its new leadership became aware of the cover-up and decided to go public.
As a result, the company received a hefty $148 million fine and had to agree to 20 years of privacy audits.
Uber also fired its chief security officer Joe Sullivan, who orchestrated the payments and failed to alert company users about the security breach.
The New York Times says both men, who are due to be sentenced next year, could face a maximum sentence of up to five years in federal prison and could be fined up to $250,000.
Get the TNW newsletter
Get the most important tech news in your inbox each week.