The Ride That Cost $148 Million: Uber's Cover-Up
The Uber Breach: The Ride That Cost $148 Million
The hack was straightforward. The cover-up was catastrophic.
In October 2016, two hackers in their twenties — Brandon Glover, a Florida resident, and Vasile Mereacre, a Canadian — discovered something they were not supposed to find: a file on GitHub containing Amazon Web Services credentials belonging to Uber Technologies.
From there, the attack was almost embarrassingly simple. The credentials worked. The AWS environment contained a data store with a backup archive of Uber’s user and driver database. The archive contained names, email addresses, and phone numbers for 57 million Uber customers and drivers — including the driver’s license numbers of approximately 600,000 Uber drivers in the United States.
The hackers reached out to Uber. They told the company what they had. They asked for money.
At this point, Uber faced a choice that companies discovering a breach must make: disclose the incident, notify affected individuals, cooperate with regulators, and absorb the reputational and financial consequences — or find another way.
Uber’s security leadership chose another way.
Threat Actor Profile: Brandon Glover & Vasile Mereacre
Designation: No APT designation; independent criminal actors
Origin: Brandon Glover, Florida, USA; Vasile Mereacre, Canada
Affiliation: Part of a broader network of young extortionists active in the mid-2010s who targeted technology companies with data theft
Primary Mission: Financial extortion via stolen data, typically using bug bounty programs as payment mechanisms to obscure the criminal nature of payments
Known Tradecraft: GitHub credential scanning, AWS credential exploitation, S3 bucket enumeration, extortion via corporate security channels
Notorious Operations:
- Uber (2016): The breach and cover-up described here — the most consequential data concealment case in US corporate cybersecurity history.
- Lynda.com (2016): A breach of LinkedIn’s professional learning subsidiary using similar methods, part of the same broader criminal operation.
- Multiple technology company targets (2015–2017): Glover and Mereacre’s network conducted a series of similar attacks against technology companies, exploiting GitHub-exposed credentials to access cloud storage environments containing user data.
The Technical Intrusion: GitHub to AWS to S3
The mechanics of the Uber breach were a case study in a failure mode that security researchers had been documenting for years: developer credential exposure in public repositories.
Engineers frequently store configuration files, environment variables, and sometimes production credentials in their local development environments or internal scripts. When those scripts or configuration files are accidentally committed to a public GitHub repository — a mistake that happens constantly, at scale, across the software industry — any credentials they contain are instantly accessible to anyone monitoring GitHub for such exposures. Automated scanning tools were readily available in 2016, and criminals used them routinely.
The specific credentials found on GitHub were AWS access keys belonging to an Uber engineer. The keys had been committed to a public repository — almost certainly accidentally — and had not been rotated or revoked.
With the AWS keys, Glover and Mereacre accessed Uber’s Amazon environment. The environment contained an S3 bucket — Amazon’s cloud object storage service — holding a backup archive of Uber’s user and driver database. The archive was accessible with the stolen credentials.
The attackers downloaded the archive. It contained:
- 57 million records: names, email addresses, and phone numbers for Uber riders and drivers worldwide
- 600,000 driver’s license numbers for US-based Uber drivers
The data was not immediately monetized on criminal markets. Instead, Glover and Mereacre contacted Uber’s security team and told them what they had found.
The Cover-Up: $100,000 and a Non-Disclosure Agreement
Uber’s security leadership — specifically Joe Sullivan, the company’s Chief Security Officer, and his deputy Craig Clark — assessed the situation and made a decision that would define the subsequent years of their careers.
Rather than treating the incident as a criminal extortion attempt and a reportable data breach, Sullivan and Clark structured the payment to the hackers as a bug bounty payout — a payment through Uber’s legitimate vulnerability disclosure program.
Uber paid Glover and Mereacre $100,000 in Bitcoin through HackerOne, the bug bounty platform. The payment was described internally as a reward for responsible vulnerability disclosure. The hackers were required to sign a non-disclosure agreement stating that they had not retained any of the stolen data and would not disclose the incident.
The breach was not reported to regulators. It was not reported to affected individuals. It was not disclosed to the Federal Trade Commission, which was at that time in the middle of a compliance review of Uber’s privacy practices stemming from a prior 2014 data incident. It was not disclosed publicly.
Uber’s own legal team was not fully informed of the nature of the payment. The executives who structured the arrangement kept the circle of knowledge small.
The cover-up lasted over a year.
Disclosure and Consequences
In November 2017, newly installed Uber CEO Dara Khosrowshahi — who had replaced founder Travis Kalanick two months earlier — was briefed on the concealed breach by the company’s new legal team during a security audit. He directed that it be disclosed publicly and to regulators immediately.
On November 21, 2017, Uber disclosed the breach.
The fallout was immediate and severe:
Regulatory: Uber agreed to a $148 million settlement with all 50 US states and the District of Columbia — the largest data breach settlement in state attorney general history at the time of its signing. The settlement required Uber to implement a comprehensive data security program and submit to audits.
FTC: The disclosure that Uber had concealed a breach while under FTC compliance review prompted additional FTC action. Uber ultimately agreed to a 20-year consent decree with FTC monitoring.
Criminal charges: In August 2020, the US Department of Justice charged Joe Sullivan with obstruction of justice and concealing a felony (misprision of a felony). Craig Clark received immunity in exchange for cooperation. Brandon Glover and Vasile Mereacre cooperated with prosecutors and pleaded guilty to computer fraud charges.
In October 2022, a federal jury in San Francisco convicted Joe Sullivan on both counts — making him one of the highest-profile corporate security officers ever convicted for actions taken in his professional capacity. He was sentenced to three years of probation in May 2023 after the judge declined to impose a prison term, citing his record of cooperation and the complex nature of the case.
Sullivan’s defense had argued that he had been acting to protect Uber’s users and had not personally enriched himself. The prosecution argued that Sullivan had obstructed justice by paying attackers to remain silent and signing them to NDAs while a federal regulator was actively investigating the company. The jury found for the prosecution.
The GitHub Credential Problem
The Uber breach was not a sophisticated attack. It was not a zero-day vulnerability, an advanced persistent threat, or a nation-state operation. It was two young men running a script that scanned GitHub repositories for accidentally exposed credentials.
This attack vector — credential exposure in public code repositories — had been a known, documented, and widely discussed problem in the security industry for years before 2016. It remained a persistent problem after Uber’s breach, and continues to produce compromises at major organizations today.
The root cause was structural: software developers worked under pressure, committed code frequently to version control systems, and routinely made configuration mistakes. Public repositories on GitHub, accessible without authentication, were routinely scanned by both security researchers and criminals. The window between a credential accidentally being committed and being harvested by an automated scanner could be measured in minutes.
The standard recommendation — using secrets management systems like HashiCorp Vault or AWS Secrets Manager rather than hardcoding credentials in source files, and implementing automated pre-commit hooks to detect credential patterns before code was pushed — was available and documented. It was simply not universally implemented.
The Cover-Up as Crime
The Uber case’s most lasting significance was not the breach itself but the legal precedent established by Sullivan’s conviction.
The decision to treat a data breach as an extortion problem to be managed quietly, rather than a security incident to be disclosed under applicable law, was not unique to Uber in the mid-2010s. The practice of paying hackers under the guise of bug bounties in exchange for data deletion and silence existed in a legal grey zone that some security practitioners had rationalized as a pragmatic response to extortion.
Sullivan’s conviction established that this rationalization was legally untenable. A Chief Security Officer who facilitates payment to attackers in exchange for their silence, while a regulatory investigation is underway, and who allows that regulatory investigation to proceed without disclosing a material breach, was engaging in obstruction and concealment — regardless of whether the security officer personally benefited.
The duty to disclose — to regulators, to victims, to the market — was not optional. The cover-up cost more than the breach.
Attack Chain: Uber Data Breach & Cover-Up
graph TD
A["Brandon Glover (Florida)\nVasile Mereacre (Canada)"] --> B["GitHub Credential Scanning\nAutomated Search for\nAWS Access Keys in Public Repos"]
B --> C["Uber Engineer AWS Keys\nFound in Public GitHub Repository\n(Accidentally Committed)"]
C --> D["AWS Credentials Valid\nUber Amazon Environment\nAccess Confirmed"]
D --> E["S3 Bucket Discovery\nUser + Driver Database Backup\nCloud Object Storage"]
E --> F["Data Exfiltration\n57 Million Records:\n• Rider Names/Email/Phone\n• Driver Names/Email/Phone\n• 600,000 Driver License Numbers (US)"]
F --> G["Hackers Contact Uber\nOctober 2016\n'We have your data — pay us'"]
G --> H["Uber CSO Joe Sullivan\nReviews Situation\nMakes Decision: Cover Up"]
H --> I["Structure as Bug Bounty\nHackerOne Payment Platform\n$100,000 in Bitcoin"]
I --> J["Hackers Sign NDA:\n• 'Did not retain data'\n• 'Will not disclose'\n• Payment framed as legitimate reward"]
J --> K["🔴 Breach NOT Disclosed\nNot Reported to Regulators\nNot Reported to Victims\nNot Reported to FTC"]
K --> L["FTC Ongoing Compliance Review\nof Uber Privacy Practices\n(From Prior 2014 Breach)\nConducted Blind to 2016 Incident"]
L --> M["November 2017:\nNew CEO Dara Khosrowshahi\nBriefed During Security Audit"]
M --> N["November 21, 2017:\nUber Publicly Discloses Breach\n1+ Year After Incident"]
N --> O["Regulatory Fallout"]
O --> O1["$148M Settlement\n50 States + DC\nLargest State AG Settlement (at time)"]
O --> O2["FTC 20-Year Consent Decree\nMonitored Compliance Program"]
N --> P["Criminal Charges — August 2020\nDOJ: Joe Sullivan\n• Obstruction of Justice\n• Concealment of Felony"]
P --> Q["October 2022:\nJury Convicts Sullivan\nOn Both Counts"]
Q --> R["May 2023:\n3 Years Probation\n(No Prison Term)"]
G --> S["Brandon Glover:\nGuilty Plea — Computer Fraud\nCooperated with Prosecutors"]
G --> T["Vasile Mereacre:\nGuilty Plea — Computer Fraud\nCooperated with Prosecutors"]
R --> U["Legal Precedent:\nCSO Liability for Breach Cover-Up\nBug Bounty Cannot Launder Extortion\nDuty to Disclose = Mandatory"]