SAN FRANCISCO/WASHINGTON (Reuters) – A 20-year-old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.
FILE PHOTO – The logo of Uber is seen on an iPad, during a news conference to announce Uber resumes ride-hailing service, in Taipei, Taiwan April 13, 2017. REUTERS/Tyrone Siu
Uber announced on Nov. 21 that the personal data of 57 million passengers and 600,000 drivers were stolen in a breach that occurred in October 2016, and that it paid the hacker $ 100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.
Uber made the payment last year through a program designed to reward security researchers who report flaws in a company’s software, these people said. Uber’s bug bounty service – as such a program is known in the industry – is hosted by a company called HackerOne, which offers its platform to a number of tech companies.
Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.
Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.
It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.
Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.
A payment of $ 100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record.” Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $ 5,000 to $ 10,000 range.
HackerOne hosts Uber’s bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.
HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Revenue Service forms.
According to two of the sources, Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.
One source described the hacker as “living with his mom in a small home trying to help pay the bills,” adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.
The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere, one of the sources said.
GitHub said the attack did not involve a failure of its security systems. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” that company said in a statement.
‘SHOUT IT FROM THE ROOFTOPS’
Uber received an email last year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter.
Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company’s software. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom.
Some companies choose not to report more aggressive intrusions to authorities on the grounds that it can be easier and more effective to negotiate directly with hackers in order to limit any harm to customers.
Uber’s $ 100,000 payout and silence on the matter at the time was extraordinary under such a program, according to Luta Security founder Katie Moussouris, a former HackerOne executive.
“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.
Uber’s failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters.
“The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them,” Moussouris said.
Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi, said in a blog post announcing the hack last month.
Clark worked directly for Sullivan but also reported to Uber’s legal and privacy team, according to three people familiar with the arrangement. It is unclear whether Clark informed Uber’s legal department, which typically handled disclosure issues.
Sullivan and Clark did not respond to requests for comment.
In an August interview with Reuters, Sullivan, a former prosecutor and Facebook Inc (FB.O) security chief, said he integrated security engineers and developers at Uber “with our lawyers and our public policy team who know what regulators care about.”
Last week, three more top managers in Uber’s security unit resigned. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters. Another of the three, senior security engineer Prithvi Rai, later agreed to stay in a new role.
Reporting by Joseph Menn in San Francisco and Dustin Volz in Washington; Additional reporting by Heather Somerville and Stephen Nellis in San Francisco; Editing by Jonathan Weber and Bill Rigby
KUALA LUMPUR (Reuters) – Malaysia’s CIMB Group Holdings Bhd on Monday said some magnetic tapes containing backup customer data were lost during routine operations, adding that there has been no evidence so far that any data has been compromised.
The tapes do not contain any authentication data such as pin numbers, passwords or credit card security numbers, the country’s second biggest lender said in a statement.
“Several magnetic tapes containing back-up data were physically lost in transit during routine operations. Some of these tapes contain customer information of CIMB Bank and its subsidiaries,” it said.
“Following a thorough and ongoing assessment, there is currently no evidence that any of this information has been compromised.”
The bank said it was working with relevant authorities and taking steps to protect customers. It did not say when the tapes were lost.
CIMB said it has heightened security measures following the loss of the tapes, including temporarily suspending some services via its call center.
In a separate statement, Malaysia’s central bank said it has been assured by CIMB that “necessary precautionary measures and mitigation actions have been taken to manage any possible negative impact arising from the loss of the tapes.”
Earlier this month, Malaysia said it was investigating an alleged attempt to sell data of more than 46 million mobile phone subscribers online, in what appeared to be one of the largest leaks of customer data in Asia.
Reporting by A. Ananthalakshmi, editing by David Evans
Late in 2015, Gilberto Titericz, an electrical engineer at Brazil’s state oil company Petrobras, told his boss he planned to resign, after seven years maintaining sensors and other hardware in oil plants. By devoting hundreds of hours of leisure time to the obscure world of competitive data analysis, Titericz had recently become the world’s top-ranked data scientist, by one reckoning. Silicon Valley was calling. “Only when I wanted to quit did they realize they had the number-one data scientist,” he says.
Petrobras held on to its champ for a time by moving Titericz into a position that used his data skills. But since topping the rankings that October he’d received a stream of emails from recruiters around the globe, including representatives of Tesla and Google. This past February, another well-known tech company hired him, and moved his family to the Bay Area this summer. Titericz described his unlikely journey recently over colorful plates of Nigerian food at the headquarters of his new employer, Airbnb.
Titericz earned, and holds, his number-one rank on a website called Kaggle that has turned data analysis into a kind of sport, and transformed the lives of some competitors. Companies, government agencies, and researchers post datasets on the platform and invite Kaggle’s more than one million members to discern patterns and solve problems. Winners get glory, points toward Kaggle’s rankings of its top 66,000 data scientists, and sometimes cash prizes.
Alone and in small teams with fellow Kagglers, Titericz estimates he has won around $ 100,000 in contests that included predicting seizures from brainwaves for the National Institutes of Health, the price of metal tubes for Caterpillar, and rental property values for Deloitte. The TSA and real-estate site Zillow are each running competitions offering prize money in excess of $ 1 million.
Veteran Kagglers say the opportunities that flow from a good ranking are generally more bankable than the prizes. Participants say they learn new data-analysis and machine-learning skills. Plus, the best performers like the 95 “grandmasters” that top Kaggle’s rankings are highly sought talents in an occupation crucial to today’s data-centric economy. Glassdoor has declared data scientist the best job in America for the past two years, based on the thousands of vacancies, good salaries, and high job satisfaction. Companies large and small recruit from Kaggle’s fertile field of problem solvers.
In March, Google came calling and acquired Kaggle itself. It has been integrated into the company’s cloud-computing division, and begun to emphasize features that let people and companies share and test data and code outside of competitions, too. Google hopes other companies will come to Kaggle for the people, code, and data they need for new projects involving machine learning—and run them in Google’s cloud.
Kaggle grandmasters say they’re driven as much by a compulsion to learn as to win. The best take extreme lengths to do both. Marios Michailidis, a previous number one now ranked third, got the data-science bug after hearing a talk on entrepreneurship from a man who got rich analyzing trends in horseraces. To Michailidis, the money was not the most interesting part. “This ability to explore and predict the future seemed like a superpower to me,” he says. Michailidis taught himself to code, joined Kaggle, and before long was spending what he estimates was 60 hours a week on contests—in addition to a day job. “It was very enjoyable because I was learning a lot,” he says.
Michailidis has since cut back to roughly 30 hours a week, in part due to the toll on his body. Titericz says his own push to top the Kaggle rankings, made not long after the birth of his second daughter, caused some friction with his wife. “She’d get mad with me every time I touched the computer,” he says.
Entrepreneur SriSatish Ambati has made Kagglers a core strategy of his startup, H2O, which makes data-science tools for customers including eBay and Capital One. Ambati hired Michailidis and three other grandmasters after he noticed a surge in downloads when H2O’s software was used to win a Kaggle contest. Victors typically share their methods in the site’s busy forums to help others improve their technique.
H2O’s data celebrities work on the company’s products, providing both expertise and a marketing boost akin to a sports star endorsing a sneaker. “When we send a grandmaster to a customer call their entire data-science team wants to be there,” Ambati says. “Steve Jobs had a gut feel for products; grandmasters have that for data.” Jeremy Achin, cofounder of startup DataRobot, which competes with H2O and also has hired grandmasters, says high Kaggle rankings also help weed out poseurs trying to exploit the data-skills shortage. “There are many people calling themselves data scientists who are not capable of delivering actual work,” he says.
Competition between people like Ambati and Achin helps make it lucrative to earn the rank of grandmaster. Michailidis, who works for Mountain View, California-based H2O from his home in London, says his salary has tripled in three years. Before joining H2O, he worked for customer analytics company Dunnhumby, a subsidiary of supermarket Tesco.
Large companies like Kaggle champs, too. An Intel job ad posted this month seeking a machine-learning researcher lists experience winning Kaggle contests as a requirement. Yelp and Facebook have run Kaggle contests that dangle a chance to interview for a job as a prize for a good finish. The winner of Facebook’s most recent contest last summer was Tom Van de Wiele, an engineer for Eastman Chemical in Ghent, Belgium, who was seeking a career change. Six months later, he started a job at Alphabet’s artificial-intelligence research group DeepMind.
H2O is trying to bottle some of the lightning that sparks from Kaggle grandmasters. Select customers are testing a service called Driverless AI that automates some of a data scientist’s work, probing a dataset and developing models to predict trends. More than 6,000 companies and people are on the waitlist to try Driverless. Ambati says that reflects the demand for data-science skills, as information piles up faster than companies can analyze it. But no one at H2O expects Driverless to challenge Titericz or other Kaggle leaders anytime soon. For all the data-crunching power of computers, they lack the creative spark that makes a true grandmaster.
“If you work on a data problem in a company you need to talk with managers, and clients,” says Stanislav Semenov, a grandmaster and former number one in Moscow, who is now ranked second. He likes to celebrate Kaggle wins with a good steak. “Competitions are only about building the best models, it’s pure and I love it.” On Kaggle, data analysis is not just a sport, but an art.
SINGAPORE/BANGKOK (Reuters) – When diaper maker DSG International (Thailand) wants to know what its customers are thinking, it often turns to Lazada, an e-commerce firm majority-owned by Alibaba Group Holding (BABA.N).
FILE PHOTO: The Singapore Lazada website is seen in this illustration photo June 20, 2017. REUTERS/Thomas White/Illustration/File Photo
“From (their) data, we know mothers sometimes browse at night, so we can offer flash sales when we know customers are browsing,” says Ambrose Chan, the Thai company’s CEO.
Southeast Asia is the world’s fastest-growing internet market, home to 600 million consumers from Vietnam to Indonesia via Singapore, many of them tech- and social media-savvy. They are rapidly spending more time and money online. A Nielsen study in 2015 estimated Southeast Asia’s middle-class will hit 400 million by 2020, doubling from 2012.
Gross merchandise value of ecommerce in Southeast Asia will balloon to $ 65.5 billion by 2021, from $ 14.3 billion last year, predicts consultancy Frost & Sullivan.
Research firm Euromonitor forecasts internet retailing in Indonesia, for example, will more than double to $ 6.2 billion by 2021, and Thailand will increase 85 percent to $ 2.8 billion.
Consumer goods firms, such as Unilever (UNc.AS) and Japanese cosmetics firm Shiseido (4911.T), say the e-commerce boom allows them to push deeper into markets that can otherwise be difficult to understand and tough to penetrate due to poor retail networks and infrastructure.
“Data from Lazada has been used to position certain products where consumer preferences are different. For example, Thai customers like to buy diapers in special cartons, while Malaysians prefer multiple packs,” says Chan.
To reach more customers and get a better handle on their online behavior, consumer goods companies are forging partnerships with e-commerce firms like Lazada and fashion website Zalora.
A customer who clicked on a 50 milliliter product may instead buy a smaller 30 ml product, said Pranay Mehra, vice president, digital and e-commerce at Shiseido Asia Pacific, noting that data and online selling experience can help firms bundle offers, decide on packaging and distribution, and influence where to set up a physical presence.
“This data is very powerful and very insightful, if used properly,” Mehra added.
Unilever, whose products range from Hellmann’s mayonnaise to Dove soap, said it is seeing more demand from rural consumers in developing markets like Indonesia and Vietnam.
RedMart’s President Vikram Rupani poses at their fulfillment centre in Singapore September 22, 2017. Picture taken September 22, 2017. REUTERS/Edgar Su
“With all our e-commerce partners, we’re using data to help us find innovative solutions to unlock key barriers of high cost delivery and poor credit card penetration in remote areas,” said Anusha Babbar, e-commerce director at Unilever Southeast Asia and Australasia.
The conglomerate, which works with the likes of Singapore online grocer RedMart, Indonesia’s Blibli and Vietnam’s Tiki, said it introduced its St Ives skincare brand on Lazada after seeing a trend towards natural products and shopper search data.
DATA AND LOGISTICS
“Traditional retailers will struggle to see customer behavior,” said Lazada Thailand’s CEO, Alessandro Piscini. “We can tell if a customer is pregnant from their search behavior.”
Slideshow (10 Images)
Lazada, he said, plans to use data science to help its merchants customize offers for specific customer groups based on age, gender and other preferences.
Zalora, which sells clothing and accessories online in markets including Singapore, Malaysia and Indonesia, said it was working on ad-hoc projects with some brands to help them understand their customers based on data.
Lazada and Zalora are among the few e-commerce platforms that operate in multiple Southeast Asian countries. But the region is becoming a new battleground as Amazon (AMZN.O) and JD.com (JD.O) make beachheads in Singapore and Thailand.
Lazada Thailand will focus on partnering with fast-moving consumer goods companies to maintain its lead, Piscini said, and is expanding its logistics footprint across a region that has poor roads, clogged cities and thousands of often remote islands.
To be sure, online still contributes a tiny portion to consumer goods companies’ sales, but some local firms are going beyond partnerships and investing in their own e-commerce capabilities.
Thailand’s top consumer goods manufacturer Saha Group (SPI.BK) (SPC.BK) has seen online sales of some of its brands rise tenfold since it began a partnership with Lazada in June, but online still represents just 1-2 percent of total sales.
Saha is using e-commerce data to customize offerings.
“We now make real-time offerings to customers. Before, promotions would be seasonal,” Chairman Boonsithi Chokwatana told Reuters.
The company, whose products include instant noodles, toothpaste and laundry detergent, is investing 2 billion baht ($ 60 million) in logistics to support its e-commerce ambitions, including a 21-storey warehouse and a big data team, he said.
Reporting by Aradhana Aravindan in SINGAPORE and Chayut Setboonsarng in BANGKOJK; Editing by Ian Geoghegan
The Department of Homeland Security is proposing to expand the files it collects on immigrants, as well as some citizens, by including more online data—most notably search results and social media information—about each individual.
The plan, which would cover data like Facebook posts or Google results, is set out in the Federal Register, where the government publishes forthcoming regulations. A final version is set to go into effect on Oct. 18.
The plan, reported by BuzzFeed, is notable partly because it permits the government to amass information not only about recent immigrants, but also on green card holders and naturalized Americans as well.
The proposal to collect social media data is set out in a part of the draft regulation that describes expanding the content of so-called “Alien Files,” which serve as detailed profiles of individual immigrants, and are used by everyone from border agents to judges. Here is the relevant portion:
The Department of Homeland Security, therefore, is updating the [file process] to … (5) expand the categories of records to include the following: country of nationality; country of residence; the USCIS Online Account Number; social media handles, aliases, associated identifiable information, and search results
The proposal follows new rules by the Trump Administration that require visitors from certain countries to disclose their social media handles, and allow border agents to view their list of phone contacts.
Those earlier measures alarmed civil rights advocates who questioned whether they would do much to improve security, and worried other countries would introduce similar screening of Americans. In response to the latest effort to collect social media data, the American Civil Liberties Union warned of a “chilling effect.”
“This Privacy Act notice makes clear that the government intends to retain the social media information of people who have immigrated to this country, singling out a huge group of people to maintain files on what they say. This would undoubtedly have a chilling effect on the free speech that’s expressed every day on social media,” the group said in a statement.
The new rules are currently subject to a comment period until Oct. 18 but, if they go into effect as planned, they will add yet more data to “Alien Files” that can already contain information such as fingerprints, travel histories, and health, and education records.
Such repositories provide powerful intelligence-gathering tools, but brings potential privacy risks such as government surveillance or cyber-attacks.
Business Continuity Awareness Week 2017 is here, and hopefully it will present a fresh opportunity to review some of the cloud’s limitations in this area.
Some 60 percent of all enterprise IT workloads will be run in some form of public or private cloud by as soon as next year, according to 451 Research’s latest estimate. It projects particularly strong growth in critical categories, including data analytics and core business applications. Findings from IDC, Gartner and Forrester present broadly the same picture—that the cloud is rapidly becoming central rather than peripheral to general IT provision.