Business & Tech

Mass. AG launches investigation into Uber data breach

Massachusetts Attorney General Maura Healey.
DREW ANGERER/GETTY IMAGES/File
Massachusetts Attorney General Maura Healey.

Massachusetts Attorney General Maura Healey is the latest official to investigate ride-hailing pioneer Uber after the company acknowledged this week that it was the target of a massive data breach in 2016.

The Democrat told WGBH-FM on Wednesday that she had requested documents and other information from Uber, adding her office is ‘‘keeping all criminal and civil options on the table.’’

Uber said hackers stole personal information about more than 57 million of its customers and drivers, but that there was no evidence the stolen data was misused. The company said it paid the hackers $100,000 to destroy the material.

Advertisement

Healey says Uber knew about the theft for a year and failed to disclose it as required under Massachusetts law.

Get Talking Points in your inbox:
An afternoon recap of the day’s most important business news, delivered weekdays.
Thank you for signing up! Sign up for more newsletters here

Other law enforcement officials, including New York Attorney General Eric Schneiderman, have opened investigations into the data breach, including whether the company violated laws requiring the disclosure of major breaches to customers and legal authorities.

Uber’s admission also raises questions about the ongoing practice of paying off hackers, which some experts warn encourages criminals to keep on hacking away at major corporations and the consumers who’ve entrusted them with their personal information.

While many security experts have criticized Uber for paying off the hackers with a ransom — which the company later categorized as a ‘‘bug bounty’’ awarded to security researchers — others saw the $100,000 payment as a relative bargain that also successfully secured users’ data.

‘‘Uber paid $100K to protect 57M people? Good,’’ tweeted Dan Kaminsky, chief scientist at security firm White Ops. ‘‘I think people forget the goal is actually to prevent harm. Yeah, those hackers could totally have kept the data. But then, their identities were known, and they knew they might face consequences. Not ideal, welcome to the real.’’

Advertisement

The October 2016 hack started at the software repository GitHub, a platform where developers can go to host and review each other’s code. Bloomberg reported that two Uber developers had stashed credentials for the company’s data stores in their code on GitHub.

Uber hasn’t explained how its developers’ private account on the site was compromised, but it likely involved some carelessness, said Kyle Flaherty of the Boston cybersecurity firm Rapid7.

‘‘It’s like any other account you have,’’ Flaherty said. ‘‘Be stringent with your own credentials and be aware of other login credentials that might be inside the repository itself, whether it’s in the code or elsewhere.’’

Bloomberg reported that two Uber developers had stashed credentials for the company’s data stores in their code on GitHub.

GitHub said Wednesday that the breach was not the result of a failure of its own security, but declined further comment. It also reiterated that it recommends against storing access tokens, passwords or other authentication or encryption keys in code stored on the site — and warned developers who do so to use extra safeguards to prevent unauthorized access.