Most parents believe that rewarding bad behaviour is a recipe for disaster. The same principle surely applies to hackers, as best practice states that – generally – demands for ransom should not be met. Uber seems to have ignored this and, as recent revelations have shown, has gone ahead and paid a neat $100k to a group of hackers who breached their security last year.
A whopping 57m global user accounts were breached in 2016, along with the personal details of over half a million of its drivers in the US. Instead of coming clean, the embattled ride-hailing business tried to buy off the hackers with $100k.
Uber has form in this area. It solemnly promised to disclose any new data breaches to the authorities after failing to do so in 2014 – taking a $20,000 hit from the New York attorney general. Each US state has its own regulations connected with when data breaches should be disclosed, but a breach of this scale is more than large enough to qualify across the board. UK users are expected to also be affected by this breach.
As a general rule, it is considered worst practice to pay hackers’ ransom demands; as it only encourages them and, as likely as not, they won’t give back the stolen data anyway. Uber has stated that the payment of (again) $100k ensured that the hackers deleted all trace of the stolen data… in the absence of any proof of this, we can only roll our eyes and respond with a half-hearted ‘Yeah, sure’.