Two men have pleaded guilty to a 2016 hack against systems belonging to Uber and LinkedIn and to holding stolen data to ransom.
Florida resident Brandon Glover and Canadian Vasile Mereacre appeared in court on Wednesday on charges of extortion and computer hacking.
The pair confessed that they used Amazon Web Service credentials to access customer data from both companies and demanded bitcoin payments for its deletion.
Uber had 57 million of its customer accounts breached in October 2016, however, following an attempted cover-up by the company, the extent of the breach was only revealed until the following year.
Data breach response: How to react when your business gets hit How not to get hacked in 2019 Facebook goes full Naked Gun after its latest password fiasco
The pair then attacked LinkedIn-owned Lynda.com, now LinkedIn Learning, where they gained access to 55,000 customer accounts in December 2016. LinkedIn immediately referred the incident to the police, at which point the full extent of the pair's activities came to light.
"In order to take on those people on the front lines of the cyber security battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries," said John Bennett, the FBI special agent leading the case against the pair, speaking to The New York Times. "Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches."
Stolen credentials
The case was presided over by Judge Lucy Koh, the same official that mediated on Yahoo's financial penalty following the breach of its systems in 2013.
Judge Koh heard that Glover and Mereacre used hacked Uber and Lynda employee AWS credentials to gain access to the data. In both breaches, the pair then attempted to contact security officials at the companies using pseudonyms and untraceable accounts, demanding for bitcoin payments in exchange for the information.
In October 2016, officials from the ride-hailing firm tried to conceal the incident and reach a deal with the two men by paying them through a bug bounty website. However, in Uber's case, the hackers were not invited to test its systems and were asked to sign nondisclosure agreements in exchange for two payments of $50,000 in bitcoin.
However, when contacted by the hackers in December 2016, security officials at Lynda.com ignored this and immediately notified authorities of the hack.
Uber's failure to disclose the breach led to an investigation and $148 million settlement. Joe Sullivan, the chief security officer at the time, was ousted for presiding over the deal and failing to notify the victims of the breach. Former CEO Travis Kalanick, who left the company shortly after following accusations of sexism and poor working practices, was also reportedly aware of the breach during this time.
Having pleaded guilty, Glover and Mereacre will be sentenced in 2020 and could face five years in federal prison and a fine of up to $250,000.
