Two men pleaded guilty in US federal court on Wednesday to hacking and extorting companies including Uber and LinkedIn, according to the US Department of Justice. The hackers had demanded money from companies in exchange for agreeing to delete confidential data they had stolen. Uber allegedly paid the hackers $100,000 instead of reporting the breach to the police, and had two hackers sign a nondisclosure agreement, CNET sister site CBS News reported Thursday.
Dave Anderson, a US attorney for Northern California, told CBS News that Uber “absolutely” acted irresponsibly by asking the hackers to delete the 57 million user files and promise to keep quiet about the hack.
“This case is extraordinary,” Anderson said. In addition, there was a third party who took part in the data breach, he alleged. “We know that the defendants said that they destroyed that data … but there was a third participant in the hack. And that third participant was unknown to Uber.” Uber told CBS that it can’t comment on an ongoing criminal investigation.
By comparison, prosecutors said LinkedIn didn’t pay and reported the hack to police at the time.
The two people who pleaded guilty were Brandon Charles Glover and Vasile Mereacre, who admitted they took part in a conspiracy to access confidential corporate databases on Amazon Web Services using stolen credentials, according to a Justice Department press release. After downloading the information, Glover and Mereacre told companies they found vulnerabilities in employees’ use of the systems. They then demanded the companies give them money in exchange for their deleting the data, the Justice Department said, as reported earlier Wednesday by CNET sister site ZDNet.
The men used an alias and an encrypted email account to reach out to companies and tell them their data was vulnerable, the DOJ said. They also shared a sample of the stolen data to show their systems had been breached before demanding money in return for deleting the data.
“We’re dealing with the most sophisticated cyber actors in the world,” FBI Special Agent in Charge John F. Bennett said in a statement. “In order to take on those people on the front lines of the cybersecurity battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries. Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches.”
Glover and Mereacre said they gave credentials for Uber’s Amazon Web Services account to a “technically proficient hacker” who found archive files with 57 million Uber user records made up of customer and driver data. The men said they illegally downloaded the records and contacted Uber in November 2016 saying they found a major vulnerability in the rideshare company’s computer security systems. According to the defendants’ plea arguments, Uber said it would pay the men $100,000 in bitcoin via a third party if the defendants signed a confidentiality agreement. The company demanded the payment stay confidential and that the men destroy the data.
Following three weeks of negotiating, Uber made the payments in December. In January 2017, Uber told the defendants it had found Glover’s real identity. A representative from the company met with Glover at his home in Florida, where he admitted his role in the plot and signed a confidentiality agreement using his real name. Two days later, an Uber representative met with Mereacre in Toronto, and he, too, admitted his role in the breach and signed a confidentiality agreement.
Similarly, the defendants obtained information on more than 90,000 confidential Lynda.com user accounts, which they had illegally accessed and downloaded from the platform’s Amazon Web Services account. (LinkedIn is Lynda.com’s parent company.) After emailing some of the user account information to LinkedIn’s security team and demanding compensation to delete the data, LinkedIn began searching for the source of the email.
The defendants told LinkedIn representatives: “[p]lease keep in mind, we expect a big payment as this was hard work for us, we already helped a big corp which paid close to seven digits, all went well.” The men stopped communicating with LinkedIn in January 2017, and the company didn’t end up paying them.
Glover and Mereacre were each charged with one count of conspiracy to commit extortion involving computers. They’ve been released on bond pending sentencing. US District Judge Lucy H. Koh scheduled a status conference on sentencing on March 18, 2020. The men could face up to five years in prison and a $250,000 fine.
“We appreciate the ongoing work by the US Attorney’s office to pursue and bring to justice those responsible for the 2016 breach of Lynda user information,” a LinkedIn representative said in a statement. “We’re glad to see the resolution of this investigation.”
Uber declined to comment Wednesday.
Originally published Oct. 30, 5:13 p.m. PT.
Updates, 5:30 p.m.: Adds that Uber declined to comment; Oct. 31: Includes CBS News report about Uber allegedly paying $100,000 and asking hackers to sign NDAs.