Uber boss allegedly knew about hack

Uber's recently appointed CEO reportedly knew about the recent hack

Uber recently confirmed that it had suffered a catastrophic hack affecting around 57 million of its users globally, but reports are circulating claiming that it new of this for some time.

A report published by the Wall Street Journal claims that it took a while for the company's management team to decide to make the news public and inform affected users.

It states that recently appointed CEO Dara Khosrowshahi was told about the hack two weeks after he took the job on September 5th. It adds that he opted to keep it a secret for more than two months.

Of course, it's in the public's interest to learn about such hacks. But due to a range of internal problems, the company allegedly decided to keep the news under wraps.

What is known for sure is that Khorowashahi did order the subsequent internal investigation. As soon as he found out about the news, he wanted to learn about how the hack happened and how many people had been affected.

Uber's own security teams, and their specialist digital forensics firm Mandiant wanted to find out how the hackers were able to compromise company systems and get access of customer data.

They also wanted to fire the executives responsible for covering up the attack. According to the report, the company told future investor SoftBank only three weeks before the WSJ report hit the web.

The researchers weren't able to inform the company about how many people fell victim to the attack. In fact, they've only just discovered this information.

In a statement, the company explained that it had a "duty to disclose to a potential investor" and had already unveiled the hack in a "very public way" following the investigation.

James Maude, senior security engineer at Avecto, slammed the firm for trying to cover up the news. He explained that it's just as catastrophic as the actual hack. "The cover-up of this data breach is almost as interesting as the breach itself, and is just as damaging," he said.

"To avoid the reputational fallout, a lot of organisations will try and cover up ransomware and other breaches, but this is only getting harder.

"Legislation in the form of the General Data Protection Regulations (GDPR) is coming into force in the EU that makes it compulsory to notify the authorities of these events.

"This still applies in the case of ransomware, where data is encrypted but doesn't leave the organisation, or in the case of Uber where they paid up to make sure it didn't go public."

He added: "A serious error on Uber's part was storing the keys to its data store on a GitHub code repository which the attackers could access. This is the digital equivalent of writing the password down on a bit of paper. Once the attackers had this key, they could access data easily.

"There is a growing issue around organisations outsourcing data storage to the cloud with limited or no security - yet companies feel like they've outsourced security too. The cloud presents both a great opportunity and a great danger at the same time."