Uber allegedly paid up $100K and made hackers sign NDAs after data breach

The men demanded money from companies in exchange for agreeing to delete data they'd stolen.

Abrar Al-Heeti Technology Reporter
Abrar Al-Heeti is a technology reporter for CNET, with an interest in phones, streaming, internet trends, entertainment, pop culture and digital accessibility. She's also worked for CNET's video, culture and news teams. She graduated with bachelor's and master's degrees in journalism from the University of Illinois at Urbana-Champaign. Though Illinois is home, she now loves San Francisco -- steep inclines and all.
Expertise Abrar has spent her career at CNET analyzing tech trends while also writing news, reviews and commentaries across mobile, streaming and online culture. Credentials
  • Named a Tech Media Trailblazer by the Consumer Technology Association in 2019, a winner of SPJ NorCal's Excellence in Journalism Awards in 2022 and has three times been a finalist in the LA Press Club's National Arts & Entertainment Journalism Awards.
Corinne Reichert Senior Editor
Corinne Reichert (she/her) grew up in Sydney, Australia and moved to California in 2019. She holds degrees in law and communications, and currently writes news, analysis and features for CNET across the topics of electric vehicles, broadband networks, mobile devices, big tech, artificial intelligence, home technology and entertainment. In her spare time, she watches soccer games and F1 races, and goes to Disneyland as often as possible.
Expertise News, mobile, broadband, 5G, home tech, streaming services, entertainment, AI, policy, business, politics Credentials
  • I've been covering technology and mobile for 12 years, first as a telecommunications reporter and assistant editor at ZDNet in Australia, then as CNET's West Coast head of breaking news, and now in the Thought Leadership team.
Abrar Al-Heeti
Corinne Reichert
4 min read

Two hackers demanded Uber pay them in exchange for deleting stolen data.

Angela Lang/CNET

Two men pleaded guilty in US federal court on Wednesday to hacking and extorting companies including Uber and LinkedIn, according to the US Department of Justice. The hackers had demanded money from companies in exchange for agreeing to delete confidential data they had stolen. Uber allegedly paid the hackers $100,000 instead of reporting the breach to the police, and had two hackers sign a nondisclosure agreement, CNET sister site CBS News reported Thursday.

Dave Anderson, a US attorney for Northern California, told CBS News that Uber "absolutely" acted irresponsibly by asking the hackers to delete the 57 million user files and promise to keep quiet about the hack.

"This case is extraordinary," Anderson said. In addition, there was a third party who took part in the data breach, he alleged. "We know that the defendants said that they destroyed that data ... but there was a third participant in the hack. And that third participant was unknown to Uber." Uber told CBS that it can't comment on an ongoing criminal investigation.

By comparison, prosecutors said LinkedIn didn't pay and reported the hack to police at the time.

The two people who pleaded guilty were Brandon Charles Glover and Vasile Mereacre, who admitted they took part in a conspiracy to access confidential corporate databases on Amazon Web Services using stolen credentials, according to a Justice Department press release. After downloading the information, Glover and Mereacre told companies they found vulnerabilities in employees' use of the systems. They then demanded the companies give them money in exchange for their deleting the data, the Justice Department said, as reported earlier Wednesday by CNET sister site ZDNet.

The men used an alias and an encrypted email account to reach out to companies and tell them their data was vulnerable, the DOJ said. They also shared a sample of the stolen data to show their systems had been breached before demanding money in return for deleting the data. 

"We're dealing with the most sophisticated cyber actors in the world," FBI Special Agent in Charge John F. Bennett said in a statement. "In order to take on those people on the front lines of the cybersecurity battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries. Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches."

Glover and Mereacre said they gave credentials for Uber's Amazon Web Services account to a "technically proficient hacker" who found archive files with 57 million Uber user records made up of customer and driver data. The men said they illegally downloaded the records and contacted Uber in November 2016 saying they found a major vulnerability in the rideshare company's computer security systems. According to the defendants' plea arguments, Uber said it would pay the men $100,000 in bitcoin via a third party if the defendants signed a confidentiality agreement. The company demanded the payment stay confidential and that the men destroy the data. 

Following three weeks of negotiating, Uber made the payments in December. In January 2017, Uber told the defendants it had found Glover's real identity. A representative from the company met with Glover at his home in Florida, where he admitted his role in the plot and signed a confidentiality agreement using his real name. Two days later, an Uber representative met with Mereacre in Toronto, and he, too, admitted his role in the breach and signed a confidentiality agreement. 

Similarly, the defendants obtained information on more than 90,000 confidential Lynda.com user accounts, which they had illegally accessed and downloaded from the platform's Amazon Web Services account. (LinkedIn is Lynda.com's parent company.) After emailing some of the user account information to LinkedIn's security team and demanding compensation to delete the data, LinkedIn began searching for the source of the email. 

The defendants told LinkedIn representatives: "[p]lease keep in mind, we expect a big payment as this was hard work for us, we already helped a big corp which paid close to seven digits, all went well." The men stopped communicating with LinkedIn in January 2017, and the company didn't end up paying them.

Glover and Mereacre were each charged with one count of conspiracy to commit extortion involving computers. They've been released on bond pending sentencing. US District Judge Lucy H. Koh scheduled a status conference on sentencing on March 18, 2020. The men could face up to five years in prison and a $250,000 fine. 

"We appreciate the ongoing work by the US Attorney's office to pursue and bring to justice those responsible for the 2016 breach of Lynda user information," a LinkedIn representative said in a statement. "We're glad to see the resolution of this investigation."

Uber declined to comment Wednesday.

Watch this: Here’s how cybercriminals profit from hacking ATMs

Originally published Oct. 30, 5:13 p.m. PT.
Updates, 5:30 p.m.: Adds that Uber declined to comment; Oct. 31: Includes CBS News report about Uber allegedly paying $100,000 and asking hackers to sign NDAs.