Two men are facing prison this week for pleading guilty to blackmailing Uber and trying to extort LinkedIn after stealing millions of customer records and holding them ransom.
Vasile Mereacre of Toronto and Brandon Charles Glover, of Winter Springs, Fla., admitted that during a four-month period starting in October 2016, they partnered to use stolen log-in credentials to gain access to confidential corporate databases being stored on Amazon Web Services.
Both men pleaded guilty to one count of conspiracy to commit extortion involving computers. They will be sentenced in March 2020. In the meantime, they were released on bond. The maximum penalty is five years in federal prison and a US$250,000 fine.
In the case of Uber, the ride-sharing company was fined US$146 million by American authorities to settle allegations it intentionally concealed the 2016 data breach of 57 million Uber users and drivers from victims and paid off the hackers in violation of state data breach notification laws.
According to a statement from the U.S. Justice Department, the pair admitted they provided credentials regarding Uber’s Amazon Web Services account to an unidentified “technically proficient hacker.”
The hacker identified 57 million Uber user records consisting of customer and driver data. Then Mereacre and Glover downloaded the records from Amazon Web Services.
On Nov. 14, 2016, using an alias and an encrypted email account, they contacted Uber claiming to have found a major vulnerability in the company’s computer security systems. Uber was shown a portion of the database as proof, then was given a demand for payment in exchange for deleting the stolen data. Uber agreed to pay US$100,000 in bitcoin to the defendants through a third party but, as part of the agreement, Uber asked that the defendants also sign a confidentiality agreement. Also as part of the deal, Uber demanded that the payment for the data breach remains confidential and that the defendants destroy the data that they stole.
After three weeks of negotiation, Uber made two US$50,000 payments, one on Dec. 8 and the other on Dec.14, 2016. Then, in January 2017, Uber told the pair that it had discovered Glover’s true identity. On Jan. 3, 2017, a representative from Uber met with Glover at his Florida home, where Glover admitted his role in the data breach and signed a confidentiality agreement in his true name. On Jan. 5, 2017, a representative from Uber met with Mereacre at a hotel restaurant in Toronto where Mereacre admitted his role in the data breach and signed a confidentiality agreement in his true name.
Mereacre and Glover tried the same trick in an aborted attempt to extort funds from Lynda.com’s parent company, LinkedIn.
In December of 2016, they downloaded over 90,000 confidential Lynda.com user accounts from Lynda.com’s Amazon Web Services account. On December 11, 2016, defendants emailed a portion of the user account information to the security team at LinkedIn as proof and demanded compensation in exchange for deleting the stolen data.
Rather than pay the bounty, LinkedIn tried to lure the writer of the email to enroll with a third party to assist in the negotiation of terms for payment to the defendants. In this way, LinkedIn hoped to identify the extortionist and notify law enforcement of the plot. The plan was ultimately unsuccessful, and LinkedIn never paid up.
“Companies like Uber are the caretakers, not the owners, of customers’ personal information,” U.S. Attorney Anderson said in a news release. “What gets stolen in a computer extortion belongs to your neighbours, not to yourselves. Don’t be so concerned with your image or reputation. Be concerned with the real losses others have suffered. Report the intrusion promptly. Cooperate with law enforcement.”
“We’re dealing with the most sophisticated cyber actors in the world,” said FBI Special Agent in Charge Bennett. “In order to take on those people on the front lines of the cybersecurity battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries. Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches.”
The stolen Uber data included personal information of over 800,000 Canadians. At the time of the theft, only Alberta had a mandatory data breach reporting law. That law required companies to tell the Alberta privacy commissioner of a breach who then decides if Albertans have to be notified. It was only in February 2018 that Uber Canada officially told Canadian victims of the incident.
According to the Alberta ruling, Uber Canada gave the provincial privacy commissioner a copy of the data breach notification that went to the Dutch Data Protection Agency of the breach in November 2017. It first went to the Dutch because the stolen data was in a server in Holland. But Uber Canada argued that while the stolen data included user names, email addresses as well as hashed data and technical data it didn’t believe the information posed a real risk of significant harm — often called RRoSH — to an individual. Driver data included their drivers’ licenses. Drivers were notified, but users weren’t. The RRoSH test is the threshold for determining if victims have to be notified.
Uber argued to Alberta that there was no need to notify victims because it got promises from the hackers the data was destroyed in exchange for the payment. It also argued that email addresses and phone numbers by themselves aren’t a risk.
Alberta privacy commissioner Jill Clayton didn’t buy it.
“In my view, a reasonable person would consider that the identity information of drivers (specifically driver’s license numbers), particularly in combination with other personal information elements at issue, could be used to cause the harms of identity theft and fraud. These are significant harms. Particularly when combined with profile information (information that individuals are customers/drivers), individual names, mobile telephone numbers and email addresses of riders and drivers could be used to send sophisticated, user-specific phishing emails and text messages purportedly from Uber,” she added. “Merely clicking on a link, without a user providing any additional information, could potentially cause significant harm (e.g. activate malware, infect users’ computer/networks).”
The November 2018 federal privacy law, the Personal Information Protection and Privacy Act (PIPEDA), includes the RRoSH test to notify victims as well as to notify the federal privacy commissioner. The difference is it’s up to organizations and not the federal privacy commissioner to decide if the test has been met. However, a firm that makes a wrong decision could be disciplined.