Two Plead Guilty To Cyber Ransom Plot In Massive 2016 Uber Users Data Breach
SAN JOSE (CBS SF) -- A Florida man and Canadian citizen pleaded guilty in San Jose federal court Wednesday to attempting to extort cyber ransoms from Uber and LinkedIn's Lynda.com after stealing customer data from the companies storage clouds.
Brandon Charles Glover, of Winter Springs, Fla., and Vasile Mereacre, of Toronto, Canada, admitted that from October 2016 through January 2017, they engaged in a conspiracy to use stolen log-on credentials to gain access to confidential corporate databases being stored on Amazon Web Services.
Each defendant pleaded guilty to one count of conspiracy to commit extortion involving computers. At their March 2020 sentencing, they could be sentenced to five years in federal prison and fined $250,000.
"We're dealing with the most sophisticated cyber actors in the world," said FBI Special Agent in Charge John F. Bennett in a news release. "In order to take on those people on the front lines of the cyber security battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries. Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches."
The Uber breach captured national headlines and led to a $148 million settlement over allegations that the Bay Area company violated state data breach reporting and data security laws.
California Attorney General Xavier Becerra was highly critical of Uber at the time the settlement was announced in 2018. The ride-hailing service was accused of exposing 57 million users' data and paying hackers to cover up the breach in 2016 rather than reporting it to proper authorities.
"Uber's decision to cover up this breach was a blatant violation of the public's trust," Becerra said in a statement. "The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law."
The settlement follows California's independent investigation of Uber's conduct alleging that the company failed to inform over 174,000 California drivers of a data breach exposing their personal information, including names and driver's license numbers.
Rather than notifying the drivers as required by law, Uber covered up the breach and then paid hackers $100,000 in exchange for their silence.
The nationwide settlement, which California helped to lead, calls for a $148 million penalty payment by Uber benefiting all 50 states and the District of Columbia.
In addition to the civil penalties, the settlement also required that Uber:
- Implement and maintain robust data security practices.
- Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
- Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company's driver and customer information is safeguarded.
- Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber's Board of Directors.
- Report any data security incidents to states on a quarterly basis for two years.
- Maintain a Corporate Integrity Program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training.
The plea agreements describe in some detail how the extortion attempt worked.
With respect to Uber, the defendants admitted they provided stolen log-in credentials to Uber's Amazon Web Services account to a "technically proficient hacker." The hacker identified archive files that contained 57 million Uber user records consisting of customer data and driver data.
Defendants admitted they illegally accessed and downloaded the records from Amazon on November 14, 2016 and contacted Uber claiming to have found a major vulnerability in the ride-share giant's computer security systems.
Glover and Mereacre provided a portion of the stolen database as proof and demanded payment in exchange for a promise they would delete the stolen data.
Uber agreed to pay $100,000 in bitcoin to the defendants through a third party but that, as part of the agreement, Uber demanded that the defendants also sign a confidentiality agreement.
According to the plea agreements, Uber demanded that the payment for the data breach remain confidential and that the defendants destroy the data that they stole.
After three weeks of negotiation, Uber made two $50,000 payments, one on December 8 and the other on December 14, 2016. Then, in January 2017, Uber informed the defendants that it had discovered Glover's true identity.
On January 3, 2017, a representative from Uber met with Glover at his Florida home, where Glover admitted his role in the data breach and signed a confidentiality agreement. On January 5, 2017, a representative from Uber met with Mereacre at a hotel restaurant in Toronto, Canada, where Mereacre admitted his role and also signed a confidentiality agreement in his true name.