Uber allegedly paid $100,000 ransom and had hackers sign NDAs after massive data breach

Uber allegedly had hackers sign NDAs

New details about how Uber responded to a massive hack attack in 2016 raise questions about the way it handled sensitive customer information. Instead of reporting the hackers to police, the company allegedly paid $100,000 in exchange for a promise to delete 57 million user files the men stole off a third party server, prosecutors said. 

Within weeks of paying the ransom, Uber employees showed up at Brandon Glover's Winter Park, Florida, home and found Vasile Mereacre at a hotel restaurant in Toronto, Canada, the Justice Department said. The pair admitted their crimes, but Uber didn't turn them over to the cops. Instead, they had the hackers sign non-disclosure agreements, promising to keep quiet. The two hackers pleaded guilty on Wednesday.  

But there was a third person involved who was unknown to Uber, U.S. attorney for Northern California Dave Anderson told CBS News correspondent Kris Van Cleave in an exclusive interview. Anderson, who investigated the hack, said there's "no way to know definitively" what actually happened to the stolen data. 

Van Cleave: Do you feel that Uber acted responsibly?

Anderson: Absolutely not.

Van Cleave: Have you seen a company ask for an NDA from people who've ripped them off before?

Anderson: I can't think of another case that our office has handled that has that dimension to it. This case is extraordinary in that regard.

Van Cleave: Do you know what was done with that data after they paid?

Anderson: Not definitively and there's no way to know definitively. We know that the defendants said that they destroyed that data … but there was a third participant in the hack. And that third participant was unknown to Uber.

The hackers also targeted a company owned by LinkedIn in December of 2016, but prosecutors say LinkedIn did not pay and promptly reported the hack to police. Uber eventually did as well — a year after the hack, when new CEO, Dara Khosrowshahi, publicly disclosed the attack.

Asked about the culture at Uber in 2018, Khosrowshahi told CBS News, "I think we've definitely made steps in the right direction but the work of culture is never done. … Are we going to make mistakes? Yep, but are we going to get better every year? Absolutely." 

The two known hackers were eventually arrested and pleaded guilty on Wednesday to conspiracy to commit extortion charges. They face a maximum of five years in prison. The third person involved remains at large.

Uber said it cannot comment on an ongoing criminal investigation. Last year it settled with the FTC and paid $148 million to settle a nationwide investigation brought by state attorneys general.

"Uber behaved atrociously," "Wired" Editor-in-Chief Nick Thompson said. Thompson warned that personal data remains vulnerable with cyber crimes on the rise.

"We've come up with all kinds of smart ways to protect data, and hackers have come up with all kinds of smart ways to get through our protections," he said. "Your data is held in a bunch of places. And each one of those places needs to be secured."