Uber paid off their hackers — they’re far from the only ones

“More and more companies have their own Bitcoin wallets for such cases.”

  • Peter Holley The Washington Post
  • Thursday, November 23, 2017 7:57am
  • Business

By Peter Holley / The Washington Post

It may have been the most arresting detail in a story full of them: Not only did Uber allow hackers to make off with the personal data of 57 million customers and drivers, but the ride-hailing company also had paid those same criminals $100,000 to delete the data and keep their mouths shut about the entire episode.

If it sounds like an old school crime wrapped in a new school mold — blackmail for the digital era — that’s because it is, according to cyber security experts. The only new thing about hacks and subsequent hush money is the belief among cyber security professionals that similar payments are occurring with increasing frequency.

“In the security practice, paying a ransom is usually cheaper than paying the price of corrective actions after a successful breach,” Csaba Krasznay, a security evangelist at Balabit.com said, referring to the price of public and regulatory scrutiny that could come from announcing a breach. “That is why the cyber crime model works: ‘We have your data, pay us X bitcoins and we won’t publish it on the Darknet.’ Or: ‘We started a DDoS attack against your service, pay Y bitcoins and we’ll stop it.’ … Based on the rumors, more and more companies have their own Bitcoin wallets for such cases,” he said.

Experts said there is no way to know how many companies have resorted to paying off attackers, but as the volume of cyber attacks skyrockets, they reason that so would the number of companies being forced into desperate scenarios where their data and their reputation is at stake.

The FBI revealed that ransomeware payments — often made after malware arrives via email — have increased dramatically in recent years, from $24 million in 2015 to close to $1 billion a year later.

Hackers aren’t confining their efforts to tech companies. Last year, Hollywood Presbyterian Medical Center in Los Angeles paid hackers nearly $17,000 after their network was infiltrated and disabled.

Uber officials were also willing to pay after it became clear last year that two attackers had accessed names, email addresses and phone numbers of 57 million people around the world, according to a statement released by the company’s chief executive, Dara Khosrowshahi. The driver’s license numbers of about 600,000 U.S. drivers were also included. For their role in keeping the breach quiet, Uber removed Joe Sullivan, the company’s chief security officer, as well as a deputy who worked with him, according to Bloomberg.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said.

Uber did not immediately respond to a request for comment about their decision to pay off hackers.

For a company like Uber, experts said, one already struggling to navigate periodic waves of bad publicity, there may have been a few good options in the wake of last year’s attack.

“Most companies know that by paying the ransom does not necessarily mean the attack is over,” said Travis Jarae, the CEO of the research and strategy company One World Identity. “A fear of public shame, reputation loss, and potential regulatory action outweighs notification and admission of guilt.

But Jarae and other experts agreed that by agreeing to pay the ransom, Uber and other companies are putting all companies — and the public data that they rely on — at greater risk.

“Hackers talk to each other,” Mark Orlando, the chief technology officer for cyber services at Raytheon. “By staying silent, Uber has empowered them for a year, where they could have brought this into the light, raised public awareness of the threat and made some good come of this. Instead, the company gave its attackers exactly what they wanted — a lot of money, and a reason to try this again and again.”

There’s another reason to disclose a hack, experts said: Regulators can slap companies with millions in fines if they fail to notify the proper authorities.

Dr. David Murakami-Wood, a surveillance and security expert at Queen’s University, said he doesn’t have any concrete numbers, but suspects such payments “are very widespread.” For a company like Uber, he said, the reason officials should’ve avoided paying off cyber hackers is the same reason companies try to avoid paying off non-digital criminals: Because they’ll return next time asking for more.

A year later, he said, Uber finds itself even worse off than it was after the hack.

“They’re in a quite a fragile position right now,” he said. “Their business model requires them to convince cities that they should not be subject to the same kinds of regulations as conventional taxi companies, but what they’re showing is that they can’t be trusted to and can’t manage their own data. They’re unable to self-regulate and that’s exactly what they’re telling these cities they can do.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Business

Izaac Escalante-Alvarez unpacks a new milling machine at the new Boeing machinists union’s apprentice training center on Friday, June 6, 2025 in Everett, Washington. (Olivia Vanni / The Herald)
Boeing Machinists union training center opens in Everett

The new center aims to give workers an inside track at Boeing jobs.

Some SnoCo stores see shortages after cyberattack on grocery supplier

Some stores, such as Whole Foods and US Foods CHEF’STORE, informed customers that some items may be temporarily unavailable.

WSU Everett Cybersecurity Professor Shih-Lien (Linus) Lu talks about the different aspects of the cybersecurity board on Wednesday, May 28, 2025 in Everett, Washington. (Olivia Vanni / The Herald)
Eight years after Washington State Everett campus opened, the university branch is still trying to define itself

In a room on the Washington State Everett campus, students… Continue reading

People take photos and videos as the first Frontier Arlines flight arrives at Paine Field Airport under a water cannon salute on Monday, June 2, 2025 in Everett, Washington. (Olivia Vanni / The Herald)
Water cannons salute Frontier on its first day at Paine Field

Frontier Airlines joins Alaska Airlines in offering service Snohomish County passengers.

Amit B. Singh, president of Edmonds Community College. 201008
Edmonds College and schools continue diversity programs

Educational diversity programs are alive and well in Snohomish County.

Nathan Tri, left, Natalie Lessley, center, and Chef Instructor Kevin Fogerty plate a fettuccine alfredo with saute shrimp and broccoli at the Edmonds College Cafe on Thursday, May 29, 2025 in Edmonds, Washington. (Olivia Vanni / The Herald)
One of the best meal deals in Snohomish County is on a Lynnwood College campus

At $14.95 for a four-course gourmet meal, and no tipping,… Continue reading

A standard jet fuel, left, burns with extensive smoke output while a 50 percent SAF drop-in jet fuel, right, puts off less smoke during a demonstration of the difference in fuel emissions on Tuesday, March 28, 2023 in Everett, Washington. (Olivia Vanni / The Herald)
Sustainable aviation fuel center gets funding boost

A planned research and development center focused on sustainable aviation… Continue reading

Helion's 6th fusion prototype, Trenta, on display on Tuesday, July 9, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Helion celebrates smoother path to fusion energy site approval

Helion CEO applauds legislation signed by Gov. Bob Ferguson expected to streamline site selection process.

FILE — Jet fuselages at Boeing’s fabrication site in Everett, Wash., Sept. 28, 2022. Some recently manufactured Boeing and Airbus jets have components made from titanium that was sold using fake documentation verifying the material’s authenticity, according to a supplier for the plane makers. (Jovelle Tamayo/The New York Times)
Boeing adding new space in Everett despite worker reduction

Boeing is expanding the amount of space it occupies in… Continue reading

Hundreds wait in line to order after the grand opening of Dick’s Drive-In’s new location in Everett on Thursday, June 12, 2025 in Everett, Washington. (Olivia Vanni / The Herald)
Dick’s Drive-In throws a party for opening day in Everett

More than 150 people showed up to celebrate the grand opening for the newest Dick’s in Snohomish County.

Patrick Russell, left, Jill Russell and their son Jackson Russell of Lake Stevens enjoy Dick’s burgers on their way home from Seattle on Friday, Sept. 22, 2023 in Edmonds, Washington. The family said the announcement of the Dick’s location in Everett “is amazing” and they will be stopping by whenever it opens in 2025. (Olivia Vanni / The Herald)
Dick’s Drive-In announces details for Thursday’s grand opening in Everett

Dick’s will celebrate its second Snohomish County location with four days of festivities.

Katie Wallace, left, checks people into the first flight from Paine Field to Honolulu on Friday, Nov. 17, 2023 in Everett, Washington. (Olivia Vanni / The Herald)
Executive order makes way for Paine Field expansion planning

Expansion would be a long-range project estimated to cost around $300 million.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.