Posts Tagged ‘hacking’

Apple Says All Macs, iPhones and iPads Exposed to Chip Security Flaws

January 5, 2018


By Mark Gurman

 Updated on 
  • Company says recent software updates mitigate Meltdown flaw
  • Fixes won’t slow down devices; users not currently affected
  Intel’s Chip Vulnerabilities
No automatic alt text available.

Apple Inc. said all Mac computers and iOS devices, like iPhones and iPads, are affected by chip security flaws unearthed this week, but the company stressed there are no known exploits impacting users.

The Cupertino, California-based company said recent software updates for iPads, iPhones, iPod touches, Mac desktops and laptops, and the Apple TV set-top-box mitigate one of the vulnerabilities known as Meltdown. The Apple Watch, which runs a derivative of the iPhone’s operating system is not affected, according to the company.

Despite concern that fixes may slow down devices, Apple said its steps to address the Meltdown issue haven’t dented performance. The company will release an update to its Safari web browser in coming days to defend against another form of the security flaw known as Spectre. These steps could slow the speed of the browser by less than 2.5 percent, Apple said in a statement posted on its website.

All About That Big Chip Security Weakness: QuickTake Q&A

Intel Corp. on Wednesday confirmed a report stating that its semiconductors contain a vulnerability based around a chip-processing technique called speculative execution. Intel said its chips, which power Macs and devices from other manufacturers, contain the flaw as well as processors based on ARM Holdings architecture, which is used in iOS devices and Android smartphones.

In December, Apple came under fire for iPhone software changes that reduced the performance of some older models of its smartphone. Alongside an apology and an explanation that a software change was implemented to balance out the effect of aging batteries, the company reduced the cost of replacing the power units from $79 to $29 through the end of 2018.

Apple shares remained flat after it announced its devices were affected by the computer-chip flaw. Intel dropped as much as 5.7 percent to $42.69 in New York Thursday before recovering slightly to $44.43, after declining 3.4 percent on Wednesday.

Security experts have said highly regulated sectors of industry, such as government offices and public health institutions, are most at risk of compromise as a result of the chip security vulnerability.

— With assistance by Nate Lanxon

Includes video:



Tech Giants Race to Address Widespread Chip Flaws

January 4, 2018

Spectre and Meltdown, long-time design bugs, could make many devices vulnerable to hack

The world’s computer-chip and software makers scrambled to respond to the discovery of two widespread hardware vulnerabilities disclosed by cybersecurity experts that could affect most of the world’s modern computing devices.

Tech manufacturers and researchers described the two vulnerabilities as design flaws, long present in most modern chips. The bugs, dubbed Spectre and Meltdown, make data stored in the working memory of shared servers and individual devices—including personal computers, tablets and smartphones—vulnerable to attack.

The flaws could allow hackers to access and steal data from devices or servers. To take advantage of either bug, however, a hacker must run malicious software on the central processing unit—essentially the brains of any modern computing device—of the machine they are targeting.

Companies and several government cybersecurity agencies said there was no indication so far of reports of any significant breaches related to the two flaws.

Still, because of the widespread nature of the flaws, Intel Corp. , Microsoft Corp. , Inc., Alphabet Inc. -owned Google and others moved quickly to explain the nature of the bugs and what they have done to minimize the threat, including rolling out software fixes. Some patches, however, could slow down computers, security experts warned, though it was unclear Thursday whether they were causing any major disruptions.

Intel’s corporate offices are seen in Santa Clara, Calif. Intel says it is working to patch a security vulnerability in its products.Photo: Ben Margot/Associated Press

The U.S. Computer Emergency Readiness Team, a cybersecurity center that is part of the U.S. Department of Homeland Security, said late Wednesday that it was aware of the two bugs. It encouraged system administrators to contact software vendors for ways to patch them. CERT said it wasn’t aware of any “active exploitation” of the bugs.

A spokesperson for the National Cyber Security Centre, an arm of the U.K.’s intelligence agency, said it wasn’t aware of evidence of “malicious exploitation” of the flaws. “The NCSC advises that all organizations and home users continue to protect their systems from threats by installing patches as soon as they become available.”

Google said its researchers had identified the flaws and had planned to disclose them—as well as what it has done to fix them—later this month. But it moved up action after the bugs were widely disclosed Wednesday. Often firms and researchers working to protect systems from hacks hold off on disclosing bugs widely to minimize the risk that potential hackers could exploit them.

Google said it had mitigated the vulnerabilities in many of its own products at risk. For instance, it said users of its Android operating system who have installed the latest security fixes didn’t need to do anything else. Users of Google’s Chrome browser, however, were asked to take specific action in some cases to protect their systems.

Google said it had also patched its cloud platform that it leases to businesses. But it said that its cloud customers must implement the patch within their own systems.

Amazon said it had notified its web-services customers that it was patching its data centers. The company said that customers need to patch the operating systems they are running on top of Amazon’s infrastructure. Microsoft said it has “been working closely with chip manufacturers to develop and test mitigations to protect our customers.”

The two flaws could affect practically every computer on the globe running a modern central-processing unit, or CPU, according to researchers that first identified them. They pose a particular danger for shared machines that have many users—such as those in data centers used for cloud computing—because they could allow one user to grab sensitive data belonging to another user, such as passwords or encryption keys.

They take advantage of tricks that modern chips use to speed up their performance, where chips perform calculations out of order, or guess what calculations they will have to do, rather than waiting for all the information they need to complete each step in order. Researchers showed that hackers could use those speculative, or out of order, instructions to trick chips into revealing sensitive data elsewhere in the processor’s memory.

The bug called Meltdown allows software to jump over protections that would normally restrict access to a device’s memory, giving hackers access to core functions of the machine as well as data from other users. Researchers say that bug is easier to patch than Spectre, although the patch could slow the performance of the machines that use it.

In a conference call late Wednesday, Intel’s general manager of data center engineering, Stephen Smith, said any potential exploit “is really not the result of product erratum. The processors are really operating as they should operate, as they were designed to operate and validated to operate.”

He said software patches can help mitigate the flaw, and that Intel launched an industrywide collaboration to incorporate a fix in the hardware.

There are existing patches against Meltdown for Microsoft’s Windows, Apple Inc.’s Mac OS and Linux, a family of open-source operating systems. But it is up to companies, such as cloud providers, to apply them.

In the case of Spectre, the flaw is so deeply embedded in the way modern chips are designed that while some patches can stop known exploits, fully fixing it will require redesigning computer chips and then replacing those currently in use, according to a federally funded cybersecurity center at Carnegie Mellon University.

Spectre appears to affects chips designed or made by Intel, Advanced Micro Devices Inc. and SoftBank Group Corp. -owned ARM, a British-based chip designer.

An ARM spokesman said the majority of its processors weren’t impacted, and those affected were certain high-end chips. The spokesman said ARM was working with Intel and AMD to patch the possible hacking method, “which is not an architectural flaw or a bug.” In the worst-case scenario, a hacker could access “small pieces of data.”

AMD said in a statement that software patches resolved one of the vulnerabilities with “negligible impact expected,” while the differences in the way AMD chips are designed means “there is a near zero risk” they are vulnerable to the other attacking methods.

Write to Sam Schechner at and Stu Woo at


Vulnerability in computer chips sparks security fears and debate

January 4, 2018


© Josh Edelson/AFP| An Intel sign at the Intel Museum in Santa Clara, CA. Security weaknesses found in computer chips, including ones made by Intel, prompted concerns on Wednesday.


Latest update : 2018-01-04

Researchers expressed concerns on Wednesday that hackers could access sensitive data on most modern systems, as technology firms sought to play down the security risks.

Chip giant Intel issued a statement responding to a flurry of warnings surfacing after researchers discovered the security hole which could allow privately stored data in computers and networks to be leaked.

Intel labeled as incorrect reports describing a “bug” or “flaw” unique to its products.

Intel chief executive Brian Krzanich told CNBC that “basically all modern processers across all applications” use this process known as “access memory,” which was discovered by researchers at Google and kept confidential as companies work on remedies.

Google, meanwhile, released findings from its security researchers who sparked the concerns, saying it made the results public days ahead of schedule because much of the information had been in the media.

The security team found “serious security flaws” in devices powered by Intel, AMD and ARM chips and the operating systems running them and noted that, if exploited, “an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications.”

“As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data,” Google said in a security blog.

“We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web.”

Spectre and Meltdown

The Google team said the vulnerabilities, labeled “Spectre” and “Meltdown,” affected a number of chips from Intel as well as some from AMD and ARM, which specializes in processors for mobile devices.

Intel said it was working with AMD and ARM Holdings and with the makers of computer operating software “to develop an industry-wide approach to resolve this issue promptly and constructively.”

Jack Gold, an independent technology analyst, said he was briefed in a conference call with Intel, AMD and ARM on the issue and that the three companies suggested concerns were overblown.

“All the chips are designed that way,” Gold said.

The companies were working on remedies after “some researchers found a way to use existing architecture and get into protected areas of computer memory and read some of the data,” he added.

Microsoft said in a statement it had no information suggesting any compromised data but was “releasing security updates today to protect Windows customers against vulnerabilities.”

But an AMD spokesman said that because of the differences in AMD processor architecture, “we believe there is near zero risk to AMD products at this time.”

ARM meanwhile said it was “working together with Intel and AMD” to address potential issues “in certain high-end processors, including some of our Cortex-A processors.”

“We have informed our silicon partners and are encouraging them to implement the software mitigations developed if their chips are impacted,” the SoftBank-owned firm said.


Earlier this week, some researchers said any fix — which would need to be handled by software — could slow down computer systems, possibly by 30 percent or more.

Intel’s statement said these concerns, too, were exaggerated.

“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time,” the company statement said.

Tatu Ylonen, security researcher at SSH Communications Security, said the patches “will be effective” but it will be critical to get all networks and cloud services upgraded, Ylonen said.

British security researcher Graham Cluley also expressed concern “that attackers could exploit the flaw on vulnerable systems to gain access to parts of the computer’s memory which may be storing sensitive information. Think passwords, private keys, credit card data.”

But he said in a blog post that it was “good news” that the problem had been kept under wraps to allow operating systems such as those from Microsoft and Apple to make security updates before the flaw is maliciously exploited.


Cryptocurrency Exchange Collapses, Files for Bankruptcy After Second Hack

December 19, 2017

Yapian, which operates South Korea’s Youbit, said latest security breach caused it to lose 17% of its total assets

Youbit trades 10 virtual currencies including bitcoin and ethereum.
Youbit trades 10 virtual currencies including bitcoin and ethereum. PHOTO: KAREN BLEIER/AGENCE FRANCE-PRESSE/GETTY IMAGES

A cryptocurrency exchange in South Korea collapsed on Tuesday after it suffered a second cyberattack in eight months and lost a large amount of its digital-currency reserves.

Yapian, the company that operates a Seoul-based exchange called Youbit, suspended digital-currency trading and filed for bankruptcy after its systems were hacked in the predawn hours of Tuesday. The exchange trades 10 virtual currencies including bitcoin and ethereum.

Yapian said in a statement that the latest security breach caused it to lose 17% of its total assets. The company didn’t specify the type of virtual currencies that were stolen or the financial value of its losses. The previous cyberattack, in April, also resulted in losses from its reserves.

Users of the exchange with digital coins in their online accounts were told by Youbit on Tuesday that they could withdraw about 75% of their cryptocurrency for now. The remaining balances would be returned after the company goes through bankruptcy proceedings, it said.

The threat of cyberattacks is heightening online-security concerns in the cryptocurrency markets as prices of bitcoin have surged over the past year and drawn a flood of investors and speculators to digital currency trading, especially in Asia.

After Youbit’s April cyberattack, which resulted in bigger losses than the latest hack, the exchange’s operator said it boosted security measures by storing more digital coins in hard wallets that effectively keep the currency offline, as opposed to online exchange accounts. It also made repairs to its system, but the latest attack proved those efforts were inadequate.

South Korea has recently become a hotbed for bitcoin and other cryptocurrency trading, drawing many young people and other retail investors to the market. A surge in trading volumes and investor fervor has drawn the attention of South Korea’s government, which last week proposed measures to cool speculation. Regulators there also fined BTC Korea.Com Co., the operator of a large cryptocurrency exchange, for compromising the personal information of thousands of its users after a hack earlier this year.

Separately, Singapore’s central bank Tuesday warned about the “significant risks” involved in investing in digital currencies. The Monetary Authority of Singapore said speculation has driven up values and that the risk of a significant drop in prices is high.

The virtual currency bitcoin continues surging to new highs as a frenzy of investors get in on the action. WSJ’s Paul Vigna explains what you need to know, and how to invest should you want to join the mania. Photo: Alexander Hotz/The Wall Street Journal.

Security remains one of the most critical issues facing the industry. Earlier this month, more than $70 million worth of bitcoin was stolen from a cryptocurrency-mining service called NiceHash after a security breach. The company halted operations more than a week ago and has yet to resume.

One cautionary tale is that of Mt. Gox, once the world’s largest bitcoin exchange. The company lost virtual currency valued at hundreds of millions of dollars in 2014 and was forced to file for bankruptcy protection.

Even so, the price of bitcoin has surged this year and has shown little sign of losing momentum. Bitcoin recently traded around $18,800, according to research site CoinDesk. It started 2017 just below $1,000.

Write to Eun-Young Jeong at and Steven Russolillo at

Multi-stage cyber attacks net North Korea millions in virtual currencies: researchers — “Digital fingerprints of hackers from North Korea”

December 19, 2017

Image result for virtual currency, north Korea, photos


SINGAPORE/SEOUL (Reuters) – A series of recent cyber attacks has netted North Korean hackers millions of dollars in virtual currencies like bitcoin, with more attacks expected as international sanctions drive the country to seek new sources of cash, researchers say.

 Image result for virtual currency, north Korea, photos

FILE PHOTO: A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

North Korea’s government-backed hackers have been blamed for a rising number of cyber attacks, including the so-called WannaCry cyber attack that crippled hospitals, banks and other companies across the globe this year.

Analysts say the explosive growth in the value of bitcoin makes it and other “cryptocurrencies” an attractive target for North Korea, which has become increasingly isolated under international sanctions imposed over its nuclear weapons and missile programs.

Bitcoin BTC=BTSP was trading at over $19,104 per bitcoin at one point on Tuesday, up from less than $1,000 at the beginning of 2017, according to

Researchers in South Korea, which hosts some of the world’s busiest virtual currency exchanges and accounts for 15 to 25 percent of world bitcoin trading on any given day, say attacks this year on exchanges like Bithumb, Coinis, and Youbit have the digital fingerprints of hackers from North Korea.

The researchers’ findings have not been independently verified.

North Korea has rejected accusations that it has been involved in hacking.

A spokesman for South Korea’s Unification Ministry, which handles North Korean affairs, said on Monday the government was considering “countermeasures”, including more sanctions, over the cyber attacks.

 Image result for virtual currency, north Korea, photos

Representatives of Bithumb and Coinis declined to comment.

On Monday, a Youbit spokeswoman told Reuters the company had not been targeted by North Korean hackers, and on Tuesday the company announced it had suffered another cyber attack that cost it 17 percent of its assets, forcing the exchange to halt operations and file for bankruptcy.

The hackers behind the second attack were not identified, but one cyber security researcher, who said he was not authorized to speak about the matter as it was being investigated, said there were similarities between the Youbit hack reported on Tuesday and the earlier attack on the company, which has been linked to North Korea.

Another researcher, who worked with Youbit after the first hack in April, said the company has since experienced a consistent string of attacks that used malicious code previously used by North Korea.


South Korea’s intelligence service reported that some 7.6 billion won ($7 million) worth of cryptocurrencies were stolen in those previous attacks on multiple exchanges, according to South Korea’s Chosun Ilbo newspaper.

But that amount could now be worth about 90 billion Korean won ($82 million), Moonbeom Park, a researcher at the Korea Internet and Security Agency, told Reuters.

Malicious code used in attacks over the summer was “virtually identical” to previous attacks connected to North Korea, he said.

The attacks this year began by targeting the companies themselves, stealing customers’ personal information, including names and email addresses, Park said.

Some of those customers were then targeted with so-called spearphishing emails – infected emails designed to look as if they were from South Korea’s taxation agency, the Korean National Tax Service, he said.

Other researchers said the attackers had impersonated other official bodies.

The emails told the recipient that the agency was about to conduct a tax investigation of the user.

An attached document, however, was a Korean-language file infected with a “Trojan Horse” program that would exploit a vulnerability in the Hanword Korean-language word processing software to allow the hackers to remotely control the user’s computer, Park said.

From there, the attackers would access the user’s bitcoin wallet either on the computer, or on the bitcoin exchange’s server, he said. Other researchers said the exchanges were also attacked using fake email accounts.

Cristiana Brafman Kittner, principal analyst at the cybersecurity firm FireEye, said she could not confirm whether North Korea had actually stolen any virtual currencies, but said hackers linked to it had targeted “multiple exchanges” over the past six to nine months.

“We believe that some of the criminal activity we are observing originating from North Korea is a result of the regime looking for alternative sources of revenue,” she said.

“North Korean cyber threat actors present an immediate risk to the financial services sector worldwide.”

Additional reporting by Joyce Lee, Hyonhee Shin, Haejin Choi, Dahee Kim, and Cynthia Kim; Writing by Josh Smith; Editing by Robert Birsel

S. Korea cryptocurrency exchange shuts down after hacking

December 19, 2017


A South Korean exchange trading bitcoin and other virtual currencies declared itself bankrupt on Tuesday after being hacked for the second time this year, highlighting the risk over cryptocurrencies as they soar in popularity.

The Youbit exchange said it had lost 17 percent of its assets in the attack on Tuesday.

It came eight months after nearly 4,000 bitcoin — then valued at 5.5 billion won ($5 million) and nearly 40 percent of the exchange’s total assets — were stolen in a cyber attack blamed on North Korea.

 Image may contain: indoor

“We will close all trades, suspend all deposits or withdrawals and take steps for bankruptcy,” the exchange said in a statement which did not assign blame for the latest attack.

All its customers will have their cryptocurrency assets marked down by 25 percent, it said, adding it would do its best to “minimise” their losses by using insurance and selling the remains of the firm.

The exchange — founded in 2013 — brokered trades of multiple virtual currencies including bitcoin and ethereum.

It is the first time that a South Korean cryptocurrency exchange has gone bankrupt.

Investing in virtual currencies has become hugely popular in the hyper-wired South, whose trades account for some 20 percent of global bitcoin transactions.

About one million South Koreans, many of them small-time investors, are estimated to own bitcoin. Demand is so high that prices for the unit are around 20 percent higher than in the US, its biggest market.

Global bitcoin prices have soared around 20-fold this year.

Concerns over a potential bubble have unnerved Seoul’s financial regulators, who last week banned its financial institutions from dealing in virtual currencies.

© 2017 AFP


U.S. says did everything possible to help Italy cyber investigation

December 16, 2017


ROME (Reuters) – The United States has denied suggestions it undermined an investigation into a massive data breach at the Italian cybersecurity firm Hacking Team, saying it did everything it could to help in the case.

A Milan magistrate last week recommended shelving an investigation into six people who were suspected of orchestrating the 2015 data theft.

Image result for Hacking Team, italy, photos

A senior judicial source criticized U.S. officials for not handing over a computer belonging to a key suspect, saying it might have contained information vital to the probe.

But in a comment emailed to Reuters, the U.S. Department of Justice in Washington denied the United States was to blame for the case floundering.

“The United States assisted Italy to the greatest extent possible and the relevant Italian authorities know that,” a U.S. Department of Justice spokesperson wrote.

Magistrates opened their investigation in July 2015 after hackers downloaded 400 gigabytes of data from the firm, which makes software that allows law enforcement and intelligence agencies to tap into the phones and computers of suspects.

Much of the data later showed up on the WikiLeaks website.

The company said at the time it believed former employees had stolen vital code that gave them access to its systems. It also speculated that a foreign government might have been behind the hacking.

The Italian probe led magistrates to a suspect living in Nashville, Tennessee. U.S. authorities raided his house and took the man in for questioning, however a senior judicial source in Milan, with direct knowledge of the case, said his computer was never sent to Italy for technical assessment.

“We could not carry out the checks on the computer to see if it contained the evidence that we were looking for because the United States did not give it to us. We did not receive an explanation for this decision,” the source said.

Reporting by Manuela D’Alessandro and Crispian Balmer; Editing by Mark Potter

ATM cyber heists hit Pakistan banks

December 11, 2017

This photo shows that HBL ATM software license is not genuine. (AN photo)

ISLAMABAD: An ATM scam affecting hundreds of debit card users in Pakistan has led to several arrests by the country’s Federal Investigation Agency (FIA), which apprehended another four suspects on Sunday.

FIA official Abdul Ghaffar Mirani told Arab News that investigators have unearthed a scam of about $105,000 and expected the number to rise after digital forensic experts searched confiscated equipment and cloned debit cards used by the scammers.
Mirani withheld the exact number of people arrested but said that mostly Chinese nationals had been taken into custody. “Our team is probing further as more complaints are pouring in and data is being compiled from other cities,” he said.
The cyber heist is being dealt with by the FIA’s National Response Center for Cyber Crime (NR3C), the country’s only technology-based crime division, which was set up 10 years ago and assists other law enforcement agencies in Pakistan.
On Friday, FIA Director Shakeel Durrani said at a press briefing that the investigation had revealed the involvement of Canadian, Nigerian and Italian hackers, as well as an Indian scammer identified as Sorev.
The information was divulged by Saqibullah, a Rawalpindi resident running a racketeering business, who as their front man sold stolen financial information to the hackers. He is also involved in identity theft, credit debit card cloning and extortion. His arrest has expanded into a FIA investigation searching for his collaborators.
Durrani said, “The prime suspect (Saqibullah) would take photos of ATM machines to match suitable skimming machines that were ordered from other countries.”
The cash withdrawals from the hacked accounts were in China, Canada, Italy, Nigeria, Indonesia, Malaysia, US, but were not limited to those countries, he said.
Revelations of the ATM-skimming scam were revealed last week by the country’s largest financial institution, Habib Bank Limited (HBL), which confirmed more than $105,000 had been stolen from 559 hacked HBL customers, mostly in the cities of Karachi and Lahore.
Image result for Habib Bank Limited, photos, signage
“We have more than 10 million customers, which means that the size of the amount missing is not very significant for the HBL, while the number of customers affected is also low, said HBL’s corporate and marketing executive Naveed Asghar, who was reported in a local English daily. “It is a fraud and we must check it and find the culprits … it happens in all the countries that use ATMs,” he said.
Banks using outdated technology fitted with aging security protocols attracted a “organized foreign group” to hack the ATM booths, suggests the FIA, which is approaching the State Bank of Pakistan, the country’s banking regulator, to introduce biometric policy and enforce it across the banking spectrum.
An HBL official in Islamabad told Arab News: “The practice of skimming is not new,” but the bank’s new biometric security measures, currently being introduced in its ATMs, “will prevent and curb future hacks.” Though HBL seems to be the main target, Standard Chartered Bank, Faysal Bank Limited, Bank Al Habib Limited and other banks have also fallen victim to cybercrime, he said.
“Officially the bank hasn’t sent out warning notifications to customers of this continuing fraud but we are compensating the affected account holders. An internal memo has been circulated for each bank branch to check and monitor the ATMs,” the banking officer said.

Uber Breach and Response Draw Global Government Scrutiny

November 23, 2017

Senator criticizes ‘inexplicable delay’ in announcing the breach, while the FTC and several countries are looking into the issue

An FTC spokesman said the agency is “closely evaluating the serious issues raised.”
An FTC spokesman said the agency is “closely evaluating the serious issues raised.” PHOTO: ERIC RISBERG/ASSOCIATED PRESS

Government officials world-wide said they would look at Uber Technologies Inc.’s handling of a major data breach last year.

Uber said Tuesday that it paid hackers $100,000 in an effort to conceal a data breach that affected 57 million accounts. In addition to the names, emails and phone numbers of riders, about 600,000 U.S. drivers’ license numbers were accessed, Uber said.

A Federal Trade Commission spokesman said the agency is “closely evaluating the serious issues raised,” while Sen. Richard Blumenthal (D., Conn) said on Twitter that the Senate Commerce Committee should hold a hearing to “demand Uber explain their outrageous breach—and inexplicable delay in informing its consumers and drivers.”

San Francisco-based Uber said it would notify owners of the affected accounts in coming days. It fired its chief security officer and a deputy for their role in the breach and covering it up, and Chief Executive Dara Khosrowshahi apologized.

At least three European government agencies are looking into Uber’s handling of the breach, and the New York State Attorney General’s office has opened an investigation.

Uber said in a statement that “we’ve been in touch with several state attorney general offices and the FTC to discuss this issue, and we stand ready to cooperate with them going forward.”

New Mexico’s Attorney General said in a letter to Uber that the company’s reaction to the breach was “gravely concerning” and requested that the company provide more information within 10 days.

Britain’s Information Commissioner’s Office will assess what steps Uber would need to take to better comply with data-protection requirements.
Britain’s Information Commissioner’s Office will assess what steps Uber would need to take to better comply with data-protection requirements. PHOTO: SIMON DAWSON/REUTERS

Uber hasn’t disclosed a geographic breakdown of the compromised accounts. Uber said Wednesday it was in the process of notifying regulatory and government authorities about the breach. “We expect to have ongoing discussions with them,” an Uber spokesman said. “Until we complete that process we aren’t in a position to get into any more details.”

The FTC has the authority to examine Uber’s cybersecurity efforts and its response to the breach, including any communication, or lack thereof, with the public.

The commission has undertaken at least preliminary investigations, and sometimes very detailed probes, of this nature during past large-scale hacks, looking at whether a hacked company had reasonable data protection practices in place that were in line with industry best practices. The FTC also has examined how companies have responded to any known security weaknesses before a breach took place.

The FTC has pursued enforcement actions when it believed companies weren’t vigilant in following appropriate safeguards.

In September, the FTC said it was investigating a breach at Equifax Inc .

Britain’s Information Commissioner’s Office, which oversees data protection in the country, said it would assess how the breach affected people in the U.K. and what steps Uber would need to take to better comply with data-protection requirements. The office has the power to fine Uber, up to £500,000 ($665,000), for any wrongdoing.

“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” said James Dipple-Johnstone, the British agency’s deputy commissioner, in a statement.

In addition to Britain—where Uber also faces a separate legal challenge over drivers’ compensation and a potential ban on operating in London—Italian and Dutch authorities said they also planned to evaluate how Uber handled the data breach.

“We are dismayed by the poor transparency shown towards users, which we intend to investigate,” said Antonello Soro, the Italian Data Protection Authority’s president, in a statement.

A spokesman for the data protection agency in the Netherlands, where Uber bases its European operations, said the agency would examine the reports of the data breach.

Most EU-member authorities don’t currently have the power to impose fines on companies in the case of personal data breaches. This will change under a new regulation taking effect in May 2018.

The National Privacy Commission of the Philippines said it has summoned Uber to a Nov. 23 meeting to discuss the incident and to comply with the formal breach notification procedure under the Data Privacy Act of 2012.

The coverup is another challenge for Uber, which is valued at $68 billion. Mr. Khosrowshahi has tried to bring stability after a year of controversies that took place under CEO Travis Kalanick.

Mr. Khosrowshahi has inherited several federal probes of the company over programs targeting rivals and regulators, as a well as a possible violation of the Foreign Corrupt Practices Act.

Uber is in a heated legal battle with Google parent Alphabet Inc., which filed suit in February alleging the company stole trade secrets related to self-driving cars. And it is trying to recover from claims by a former female engineer that management ignored complaints from her and other women of sexism and harassment.

The company has said it is cooperating with federal regulators in their investigations. It disputes the allegations made by Alphabet and is contesting the lawsuit.

Write to Stu Woo at


Uber Paid Hackers to Delete Stolen Data on 57 Million People

November 22, 2017


By Eric Newcomer

 Updated on 
  • Company paid hackers $100,000 to delete info, keep quiet
  • Chief Security Officer Joe Sullivan and another exec ousted

Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.

Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

Dara Khosrowshahi

Photographer: Matthew Lloyd/Bloomberg

“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who took over as chief executive officer in September, said in an emailed statement. “We are changing the way we do business.”

Read more: Uber Pushed the Limits of the Law. Now Comes the Reckoning

After Uber’s disclosure Tuesday, New York Attorney General Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy Spitalnick said. The company was also sued for negligence over the breach by a customer seeking class-action status.

Hackers have successfully infiltrated numerous companies in recent years. The Uber breach, while large, is dwarfed by those at Yahoo, MySpace, Target Corp., Anthem Inc.and Equifax Inc. What’s more alarming are the extreme measures Uber took to hide the attack. The breach is the latest scandal Khosrowshahi inherits from his predecessor, Travis Kalanick.

Read more: Gadfly’s Shira Ovide says Kalanick must speak


Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. Kalanick declined to comment on the hack.

Joe Sullivan, the outgoing security chief, spearheaded the response to the hack last year, a spokesman told Bloomberg. Sullivan, a onetime federal prosecutor who joined Uber in 2015 from Facebook Inc., has been at the center of much of the decision-making that has come back to bite Uber this year. Bloomberg reported last month that the board commissioned an investigation into the activities of Sullivan’s security team. This project, conducted by an outside law firm, discovered the hack and the failure to disclose, Uber said.

Image result for Uber, signage, photos

Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

A patchwork of state and federal laws require companies to alert people and government agencies when sensitive data breaches occur. Uber said it was obligated to report the hack of driver’s license information and failed to do so.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

Uber has earned a reputation for flouting regulations in areas where it has operated since its founding in 2009. The U.S. has opened at least five criminal probes into possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property, people familiar with the matters have said. The San Francisco-based company also faces dozens of civil suits. London and other governments have taken steps toward banning the service, citing what they say is reckless behavior by Uber.

In January 2016, the New York attorney general fined Uber $20,000 for failing to promptly disclose an earlier data breach in 2014. After last year’s cyberattack, the company was negotiating with the FTC on a privacy settlement even as it haggled with the hackers on containing the breach, Uber said. The company finally agreed to the FTC settlement three months ago, without admitting wrongdoing and before telling the agency about last year’s attack.

The new CEO said his goal is to change Uber’s ways. Uber said it informed New York’s attorney general and the FTC about the October 2016 hack for the first time on Tuesday. Khosrowshahi asked for the resignation of Sullivan and fired Craig Clark, a senior lawyer who reported to Sullivan. The men didn’t immediately respond to requests for comment.

Khosrowshahi said in his emailed statement: “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

The company said its investigation found that Salle Yoo, the outgoing chief legal officer who has been scrutinized for her responses to other matters, hadn’t been told about the incident. Her replacement, Tony West, will start at Uber on Wednesday and has been briefed on the cyberattack.

Travis Kalanick

Photographer: Scott Eells/Bloomberg

Kalanick was ousted as CEO in June under pressure from investors, who said he put the company at legal risk. He remains on the board and recently filled two seats he controlled.

Uber said it has hired Matt Olsen, a former general counsel at the National Security Agency and director of the National Counterterrorism Center, as an adviser. He will help the company restructure its security teams. Uber hired Mandiant, a cybersecurity firm owned by FireEye Inc., to investigate the hack.

The company plans to release a statement to customers saying it has seen “no evidence of fraud or misuse tied to the incident.” Uber said it will provide drivers whose licenses were compromised with free credit protection monitoring and identity theft protection.

— With assistance by Erik Larson

Includes Video: