Hackers Plead Guilty to 2016 Uber, Lynda.com Breaches

Data breaches are becoming an increasingly regular occurrence, as increasing amounts of data are stored online, particularly in cloud computing services like Amazon Web Services, Microsoft’s Azure, or Google Cloud.  A plea bargain reached before Judge Lucy Kohn in the Northern District of California by the culprits behind two high-profile breaches revealed differing approaches to the breach by differing companies.

26-year-old Brandon Glover, of Florida, and 23-year-old Vasile Mereacre, of Canada, admitted Wednesday to gaining unauthorized access to the user databases of rideshare giant Uber and Lynda.com, the education platform now known as LinkedIn Learning, in late 2016.  Much like the Capital One breach disclosed this summer, the pair accessed the databases through Amazon Web Services, the cloud provider that hosted the data. In both instances, the hackers gained access to the GitHub accounts for developers, which in turn held credentials to the AWS accounts for the companies. (GitHub is a service used by software developers to back up and maintain code, among other things.)  According to the New York Times, the hackers used “an elaborate ruse” to access the GitHub accounts. 

After accessing the databases, the hackers anonymously contacted security officers at both companies, demanding payment to delete the databases.  In response, Lynda.com instead disclosed the breach to its users, whereupon Glover and Mereacre ceased communications. 

Uber, on the other hand, attempted to remit payment to the hackers, ostensibly as a part of a “bug bounty” program.  (Tech companies offer rewards to so-called ‘white hat’ hackers who proactively find bugs.) Uber then travelled to Florida and Canada to sign nondisclosure agreements with the hackers.  The company would go on to reveal the breach of 57 million users’ data in 2017, months after it was communicated to them.

The two face up to five years’ prison time and $250,000 in fines. Sentencing will occur in 2020.