Two men reportedly face a up to five years in prison after pleading guilty in federal court on Wednesday to hacking into Uber's and Lynda.com's databases and holding their contents for ransom.
According to reports, Brandon Glover of Winter Springs, Florida and Vasile Mereacre of Toronto, Canada, admitted to hacking into the GitHub accounts of Uber and Lynda.com employees in 2016. These accounts contained credentials for Amazon Web Services, which they used to access AWS servers holding the companies' precious data.
The Uber breach impacted 57 million customers and drivers, located worldwide, while the breach of Lynda.com, an online learning platform subsidiary of LinkedIn (later rebranded LinkedIn Learning), affected 90,000 customer accounts. In both cases, the defendants in the case attempted to extort a payment from the companies in the guise of a "reward."
A superseding indictment issued on Oct. 30 by the U.S. Attorney's Office offered a closer look at the breaches and how the victims responded.
At one point, the defendants sent an email to LinkedIn describing the data they managed to grab. "Before I continue, I would like to say that this does not look good, I was able to access backups upon backups , me and my team would like a huge reward for this, [sic]. The things we found were some of the following, [L]ynda database, email names addresses, usernames, some passwords, payments, we also found backend code and many more." The email later continues, "Before I continue, I would like to ask that you guys will promise to compensate for this find."
Lynda.com opted to publicly disclose the breach rather than pay up. Uber, on the other hand agreed to pay the hackers $100,000, and originally kept the incident quiet. According to the superseding indictment, Uber had Glover and Mereacre sign confidentiality agreements stipulating that they would not use the stolen use or publicly expose the breach.
Later, under new leadership, the company on Nov. 22, 2017 publicly owned up to the breach and its subsequent cover-up, and in September 2018 accepted a settlement of a $148 million fine from the Federal Trade Commission for its actions.
"Companies like Uber are the caretakers, not the owners, of customers' personal information," said U.S. Attorney Anderson in a press release. “What gets stolen in a computer extortion belongs to your neighbors, not to yourselves. Don't be so concerned with your image or reputation. Be concerned with the real losses others have suffered. Report the intrusion promptly. Cooperate with law enforcement."
"We're dealing with the most sophisticated cyber actors in the world," said FBI Special Agent in Charge John Bennett in the same release. "In order to take on those people on the front lines of the cybersecurity battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries. Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches.