Two men have confessed they siphoned confidential information from databases hosted in the Amazon cloud, and then demanded payment to delete their copies of the data.
Brandon Charles Glover, 26, of Winter Springs, Florida, America, and Vasile Mereacre, 23, of Toronto, Canada, each pleaded guilty to one charge of conspiracy to commit extortion involving computers at a San Jose court house in California on Wednesday. In agreeing to admit their crimes, and forgo a lengthy trial, the duo are set to face up to five years in the clink and a fine of $250,000 apiece. They will be sentenced in March.
The two hatched their scam in late 2016: they obtained the private access keys to an Uber backend database hosted by Amazon Web Services-hosted database, and gave the credentials to a “technically proficient hacker,” who used the information to rifle through the repository and seek out interesting archives.
Some 57 million customer and driver personal records were subsequently downloaded by Glover and Mereacre.
Glover and Mereacre then contacted Uber via a Protonmail address, and demanded money to destroy the data from their local storage, enclosing a small sample in the email to prove they had the goods.
Uber: Hackers stole 57m passengers, drivers' info. We also bribed the thieves $100k to STFUREAD MORE
Rather than call the police, Uber executives met the pair, and agreed to pay them $50,000 each to wipe the purloined files. The bosses made the duo sign non-disclosure agreements to keep the whole thing hush-hush. Uber also hid the database intrusion from America's trade watchdog FTC, which was investigating another hacking attack against the taxi app maker.
Emboldened, the two then tried to pull the same stunt with Lynda.com, now owned by LinkedIn. “[P]lease keep in mind, we expect a big payment as this was hard work for us, we already helped a big corp which paid close to seven digits, all went well,” the pair told Lynda's staff in an extortion note. Lynda told them where to stuff it, and called in the cops.
"We appreciate the ongoing work by the US Attorney’s office to pursue and bring to justice those responsible for the 2016 breach of Lynda user information,” the online education outfit told The Register today. "We’re glad to see the resolution of this investigation."
Prosecutors were not impressed at Uber's attempt to cover up the cyber-break-in, and slammed the San-Francisco-based tech upstart.
“Companies like Uber are the caretakers, not the owners, of customers’ personal information,” said David Anderson, United States Attorney for Northern California, in an email to The Reg. “What gets stolen in a computer extortion belongs to your neighbors, not to yourselves. Don’t be so concerned with your image or reputation. Be concerned with the real losses others have suffered. Report the intrusion promptly. Cooperate with law enforcement.”
Uber’s decision to hush things up and pay off the duo ultimately cost it a small chunk of change. It ended up paying US states a $148m settlement, and the decision also cost at least two of its security team their jobs, including Joe Sullivan, Facebook's former Chief Security Officer during the Cambridge Analytica scandal and now CSO at Cloudflare.
“We’re dealing with the most sophisticated cyber actors in the world,” FBI Special Agent in Charge John Bennett chimed in via email.
“In order to take on those people on the front lines of the cyber security battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries. Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches." ®