Details of Uber’s mismanagement of 2016 data breach emerge in court

Published: November 1, 2019

Updated: November 4, 2019

Author: Luke Jones



Prosecutors against Uber has revealed more details about the cyberattack the ride-hailing company suffered in 2016. According to lawmakers, the tech giant failed in many instances when handling the breach.

Specifically, prosecutors say Uber paid hackers $100,000 to delete 57 million user files that had been stolen from a third-party server. Those files contained information regarding users of the app. In paying this ransom, Uber also failed to report the incident to authorities first, online disclosing it after the fact.

Furthermore, Uber admitted to meeting with the hackers. Toronto-based Vasile Mereacre and Florida-based Brandon Glover both admitted to being the perpetrators. However, Uber did not inform police and instead requested the pair sign a non-disclosure agreement to not talk about the attack.

Once the attack was disclosed, both Mereacre and Glover were arrested. At their trial this week, both pleaded guilty to the charge of conspiracy to commit extortion and face a maximum sentence of five years in prison.

US attorney for Northern California Dave Anderson revealed to CBS News that the dynamics of the case are confusing. For example, another person was involved but Uber does not know who it is. Additionally, it is impossible to know what happened to the data that was stolen.

“We know that the defendants said that they destroyed that data … but there was a third participant in the hack. And that third participant was unknown to Uber,” he said.

Anderson said Uber did “absolutely not” act responsibly when handling the incident.