New details about the cyberattack Uber sustained in 2016 have been revealed, specifically about how the company allegedly handled the incident.
According to prosecutors, Uber paid hackers $100,000 in exchange for a promise to delete the 57 million user files the hackers stole from a third party server – instead of reporting the incident to police first.
Weeks after paying the ransom, Uber employees allegedly visited the hackers – Brandon Glover in Winter Park, FL and Vasile Mereacre in Toronto, Canada. Both admitted to the crimes, but instead of turning them over to the police, Uber asked the two to sign non-disclosure agreements to not mention anything about the attack, it is alleged.
Both hackers were later arrested and pleaded guilty on Wednesday to conspiracy to commit extortion charges, for hacking Uber and Lynda.com in 2016. They each face a maximum of five years in prison.
But US attorney for Northern California Dave Anderson revealed to CBS News in an interview that there is more to this complicated case. Anderson said that there was a third person involved in the hack whose identity is unknown to Uber, and added that there is “no way to know definitively” what happened to the stolen data.
“We know that the defendants said that they destroyed that data … but there was a third participant in the hack. And that third participant was unknown to Uber,” the attorney added.
When asked if Uber acted responsibly during the incident, Anderson said “absolutely not.”