scorecardresearch Skip to main content

Mass. AG launches investigation into Uber data breach

Massachusetts Attorney General Maura Healey.DREW ANGERER/GETTY IMAGES/File

Massachusetts Attorney General Maura Healey is the latest official to investigate ride-hailing pioneer Uber after the company acknowledged this week that it was the target of a massive data breach in 2016.

The Democrat told WGBH-FM on Wednesday that she had requested documents and other information from Uber, adding her office is ‘‘keeping all criminal and civil options on the table.’’

Uber said hackers stole personal information about more than 57 million of its customers and drivers, but that there was no evidence the stolen data was misused. The company said it paid the hackers $100,000 to destroy the material.

Healey says Uber knew about the theft for a year and failed to disclose it as required under Massachusetts law.


Other law enforcement officials, including New York Attorney General Eric Schneiderman, have opened investigations into the data breach, including whether the company violated laws requiring the disclosure of major breaches to customers and legal authorities.

Uber’s admission also raises questions about the ongoing practice of paying off hackers, which some experts warn encourages criminals to keep on hacking away at major corporations and the consumers who’ve entrusted them with their personal information.

While many security experts have criticized Uber for paying off the hackers with a ransom — which the company later categorized as a ‘‘bug bounty’’ awarded to security researchers — others saw the $100,000 payment as a relative bargain that also successfully secured users’ data.

‘‘Uber paid $100K to protect 57M people? Good,’’ tweeted Dan Kaminsky, chief scientist at security firm White Ops. ‘‘I think people forget the goal is actually to prevent harm. Yeah, those hackers could totally have kept the data. But then, their identities were known, and they knew they might face consequences. Not ideal, welcome to the real.’’

The October 2016 hack started at the software repository GitHub, a platform where developers can go to host and review each other’s code. Bloomberg reported that two Uber developers had stashed credentials for the company’s data stores in their code on GitHub.


Uber hasn’t explained how its developers’ private account on the site was compromised, but it likely involved some carelessness, said Kyle Flaherty of the Boston cybersecurity firm Rapid7.

‘‘It’s like any other account you have,’’ Flaherty said. ‘‘Be stringent with your own credentials and be aware of other login credentials that might be inside the repository itself, whether it’s in the code or elsewhere.’’

Bloomberg reported that two Uber developers had stashed credentials for the company’s data stores in their code on GitHub.

GitHub said Wednesday that the breach was not the result of a failure of its own security, but declined further comment. It also reiterated that it recommends against storing access tokens, passwords or other authentication or encryption keys in code stored on the site — and warned developers who do so to use extra safeguards to prevent unauthorized access.