uber aws case study

• Training Overview
• Cyber Crisis Tabletop Exercises (CCTE )
• Incident Response Playbooks
• Certified Information Systems Auditor (CISA)
• GDPR Knowledge Base
• NCSC Cyber Security & Privacy Essentials
• Information Security Awareness Training
• Previous Events
• Wisdom of Crowds
• CMA Educational Webinars
• Keynote Speakers
• Virtual Cyber Assistant (VCA)
• Virtual Cyber Consultant (VCC)
• Virtual CISO (Information Security Manager)
• Trusted Advisors
• Ransomware Tabletop Exercise
• ISO 27001:2022
• Ransomware Readiness Assessment
• Breach Readiness Assessment
• SIEM & Use-Case Assessment
• Cyber Incident Response Maturity Assessment
• 1 Day NIST Cyber Health Check
• Security GAP Assesments
• ISO 27001 Audit and Implementation
• Third Party Assessments and Audits
• Governance, Risk and Compliance
• Sans Top 20 Controls
• Cybersecurity Blog
• Case Studies
• Client Testimonials
• Our Clients
• Meet the team

Uber Cyber-Attack: A Live Timeline

Date: 18 September 2022

Uber needs no introduction so we’ll skip that part and jump right into the big news - apparently it’s been compromised by an 18-year old hacker! 

As per media stories and numerous Tweets, it appears that a threat actor managed to get access to Uber’s vulnerability reports, the company’s internal systems, email dashboard, and Slack server. That’s not all, screenshots doing the rounds online also indicate that the hacker allegedly had access to critical Uber IT systems, security software and Windows domain, Amazon Web Services console, VMware ESXi virtual machines. 

The New York Times that first broke the news shared that it was in touch with the hacker who, apparently, claims that he managed to compromise Uber’s systems by performing a social engineering attack on an employee. 

As per other reports, the hacker also had access to the company's HackerOne bug bounty program, where they commented on all of the company's bug bounty tickets. If, as some stories allege, the attacker downloaded all vulnerability reports before losing access to Uber's bug bounty program, including vulnerability reports that have not been fixed, it’s a huge security risk to Uber even in the days to come. 

The idea is never to point a finger at any victim of a cyber-attack but simply to learn from their experience. The learning here is crystal clear -  if employees of a Fortune 500 company can fall prey to a social engineering attack that can have such massive repercussions, anyone who assumes that their non-IT staff won’t make such a mistake is in risky territory. The only lesson here is that no organisation should ever assume they are 100% safe. Investing in cyber security and awareness training for staff should be a never-ending process and a life-long commitment. Services like our Virtual Cyber Assistant can even help organisations with very modest budgets improve their cybersecurity maturity and cyber resilience over time.

Quick reading guide:

About this Article

• What & How It Happened?

Business Impact

We, at Cyber Management Alliance, created this Google Doc on 16th September, 2022 and invite you to take part in sharing the intelligence and knowledge about this cyber-attack. 

We are determined to use the power of the crowds, the Wisdom of Crowds, to ensure that we all have a fighting chance to protect not only cyberspace, but the physical world that is now almost, if not fully, connected to cyberspace. 

This is a work in progress document and NOT final in any sense. Please feel free to contribute and/or make suggestions at [email protected] . 

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

What & How it Happened 

1st January-2022: Uber ignored vulnerability disclosed by a bug bounty hunter SAFE (@0x21SAFEs). The threat hunter warned the company that the found vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach. But Uber, allegedly, didn’t take it seriously. 17th August-2022: HackerOne shut down one of Uber's assets on HackerOne platform called ListStorageBuckets (a bug bounty program) as it was apparently compromised by the hackers.

15th September-2022: An 18-year old hacker hit Uber and accessed its third-party services as Uber disclosed this incident in its tweet: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.” 

16th September-2022: Taking responsibility for the cyber attack, the hacker told The New York Times that he had been working on his cybersecurity skills for several years. He said he had broken into Uber’s systems because the company had weak security. In the Slack message that announced the breach, the threat actor raised the concern of Uber drivers. He said: “Uber drivers should receive higher pay.”

16th September-2022: According to various sources like The NY Times and Reuters, the 18-year old hacker said that he had sent a text message to an Uber employee claiming to be a corporate IT person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber's systems. 

16th September-2022: The hackers, apparently, told the NYT that they breached Uber for fun and are considering leaking the company’s source code. They also shared that they have gained access to Uber’s systems through login credentials obtained from an employee via social engineering, which allowed them to access an internal company VPN. From there, they found PowerShell scripts on Uber’s intranet containing access management credentials that allowed them to allegedly breach Uber’s AWS and G Suite accounts. 

16th September-2022: According to The Register , the screenshots leaked on Twitter show: “An intruder has compromised Uber's AWS cloud account and its resources at the administrative level; gained admin control over the corporate Slack workspace as well as its Google G Suite account that has over 1PB of storage in use; has control over Uber's VMware vSphere deployment and virtual machines; access to internal finance data, such as corporate expenses; and more.” The source claims: “If this is correct, Uber has been significantly compromised with data and infrastructure at multiple levels available to the intruder.” 

16th September-2022: The Register said there are many claims that show that hackers allegedly have access to a Confluence installation, private source code repositories, and a SentinelOne security dashboard used by the app developer. 

16th September-2022: Tagging the tweet of Colton (@ColtonSeal) in which he shared a screenshot of the hacker claiming that he hacked Uber ( I announce I am a hacker and Uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and 2 monorepos from phabricator have also been stolen, along with secrets from sneakers. #uberunderpaisdrives ), the infosec analyst payloadartist (@payloadartist) said: “Apparently, the attacker even posted a message on Slack informing the Uber employees of the breach but everyone thought it was a joke.” 

16th September-2022: Payloadartist (@payloadartist) posted the impact details. He tweeted: “Uber apparently got grandly hacked. Attacker basically got access to almost everything (allegedly)

• - Google Workspace Admin
• - AWS Accounts
• - HackerOne Admin
• - SentinelOne EDR
• - Financial Dashboards”

16th September-2022: Sam Curry, the cybersecurity expert and threat hunter told NYT: “It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life.” 

16th September-2022: Sam Curry(@samwcyo) also highlighted this incident and the impact in his tweet: “Someone hacked an Uber employee's HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports.” 

16th September-2022: Sam Curry (@samwcyo) posted a tweet in which the Uber employee shared some details and urged to keep his identity hidden: “Feel free to share but please don’t credit me: at Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.” 

16th September-2022: Sam Curry (@samwcyo) tweeted another employee’s statement: “From another Uber employee:

Instead of doing anything, a good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke. After being told to stop going on slack, people kept going on for the jokes. Lmao.” 

16th September-2022: While Uber employees were, apparently, taking the hacker's communication as a joke, one unnamed Uber employee, allegedly, told Sam Curry that staff were interacting with the hacker thinking they were playing a joke. He shared a communication screenshot saying: “Sorry to be a stick in the mud, but I think IT would appreciate less memes while they handle the breach.” 

16th September-2022: The malware librarians at VX Underground tweeted: 

“More Uber information data disclosed: vSphere, Google workplace data, and more AWS data.” 

“A Threat Actor claims to have completely compromised Uber - they have posted screenshots of their AWS instance, HackerOne administration panel, and more. They are openly taunting and mocking @Uber.” 

16th September-2022: Sam Curry (@samwcyo) tweeted: “The attacker is claiming to have completely compromised Uber, showing screenshots where they’re full admin on AWS and GCP.” 

16th September-2022: The malware librarians at VX Underground tweeted that hackers accessed Uber’s financial data: “ They disclosed Uber's financial data”. 

16th September-2022: Sharing a hint on the tactics used in the Uber data breach incident, the cybersecurity expert Corben Leo (@hacker_) tweeted: “Uber was hacked. The hacker social engineered an employee -> logged into the VPN and scanned their intranet.” 

16th September-2022: Corben Leo also shared the information of an internal network TeaPot. He tweeted: “The infosec researcher Apparently there was an internal network share that contained powershell scripts.” "One of the powershell scripts contained the username and password for an admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite." 

16th September-2022: Security researcher Bill Demirkapi (@BillDemirkapi) explained how hackers compromised Uber’s MFA as he tweeted this thread:  

“ Let's talk about how they were compromised. The attacker has been quite upfront about how they compromised Uber's corporate infrastructure. Uber appears to use push notification MFA (Duo) for their employees. How can an attacker get around MFA?” 

“An extremely common misconception people have with standard forms of MFA (push/touch/mobile) is that it prevents social engineering. Although MFA can protect against an attacker who only has the victim's credentials, it is commonly still vulnerable to MiTM attacks.” 

“An attacker can setup a fake domain that relays Uber's real login page with tooling such as Evilginx. The only difference is the domain they are visiting, which is easy to miss. For most MFA, nothing stops the attacker from relaying the authentication process.” 

“Once the attacker compromised an employee, they appear to have used that victim's existing VPN access to pivot to the internal network. Internal infrastructure is often significantly less audited and evaluated compared to external infrastructure.” 

“In this case, the attacker appears to have found an internal network share that contained scripts with privileged credentials, giving them the keys to the kingdom. They claim to have compromised Uber's Duo, OneLogin, AWS, and GSuite environments.”

16th September-2022: After Uber took its internal software tools offline due to the cyber attack, it gradually started bringing them online. In a statement, the company stated: “Internal software tools that we took down as a precaution yesterday are coming back online this morning.” 

18th September-2022: Michael (@LegacyKillaHD) a famous video gaming expert gave a clue on who could be behind the Uber hack as he tweeted: “Just an FYI. Person behind this GTA 6 leak is allegedly behind the recent hack of Uber a few days ago. At least he claims to be & used a similar method to steal Rockstar's secrets. Essentially, this isn't an angry employee or fan. A hacker that will be difficult to track down.”

16th September-2022: In its official update, Uber said: “We have no evidence that the incident involved access to sensitive user data (like trip history). All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.” 

16th September-2022: According to Bloomberg, Uber shares fell 5.2% in pre-market trading in New York Friday. 

16th September-2022: According to BleepingComputer , “The attacker downloaded all vulnerability reports before they lost access to Uber's bug bounty program. This likely includes vulnerability reports that have not been fixed, presenting a severe security risk to Uber. HackerOne has since disabled the Uber bug bounty program, cutting off access to the disclosed vulnerabilities. However, it would not be surprising if the threat actor had already downloaded the vulnerability reports and would likely sell them to other threat actors to cash out on the attack quickly.”

References: 

• https://www.linkedin.com/posts/chiefinfosec_leadership-informationsecurity-incidentresponse-activity-6976415560624439296-OWgb?
• https://twitter.com/Uber_Comms/status/1570584747071639552
• https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell  
• https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html   
• https://twitter.com/samwcyo/status/1570581007044317184  
• https://twitter.com/vxunderground/status/1570611979169202179  
• https://twitter.com/ColtonSeal/status/1570596125924794368  
• https://twitter.com/hacker_/status/1570582547415068672  
• https://twitter.com/vxunderground/status/1570597582417821703  
• https://www.theregister.com/2022/09/16/uber_security_incident/  
• https://www.washingtonpost.com/technology/2022/09/15/uber-hack/  
• https://hackerone.com/uber/updates?type=team  
• https://twitter.com/hacker_/status/1570582202697809920  
• https://twitter.com/payloadartist/status/1570631734861111296  
• https://www.reuters.com/business/autos-transportation/uber-investigating-computer-network-breach-nyt-2022-09-16/  
• https://twitter.com/0x21SAFE/status/1476991015395471364  
• https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/  
• https://www.cnbc.com/2022/09/16/uber-investigates-cybersecurity-incident-after-reports-of-a-hack.html  
• https://www.bloomberg.com/news/articles/2022-09-16/uber-says-it-s-investigating-extent-of-cybersecurity-incident  
• https://www.uber.com/en-CA/newsroom/security-update/  
• https://twitter.com/LegacyKillaHD/status/1571439441482235904  

Legal & Disclaimers

Every contributor has made an effort to ensure that the information in this document is accurate. Cyber Management Alliance Ltd (herein referred to as CMA) hereby disclaims any liability to any party for any loss, damage or disruption caused by this information in this document or errors or omissions, whether such errors or omissions result from negligence, accident or any other cause. 

The reader must understand that this document is not intended to replace professional consultancy, advice and guidance. The reader must ensure that he/she seeks professional consultation and/or refers to other material and/or consultants in matters relating to, but not limited to, cyber attacks or data breaches. Cybersecurity, information security and data privacy are a complex set of topics and the authors and CMA advise the reader to take full responsibility and precaution to protect their personal information and not to take risks beyond the level of experience, aptitude, training and comfort level.

Like this article? Share it with others!

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:.

• Drop us a line on:
• [email protected]
• Or call us on:
• +44 (0) 203 189 1422

Show comments

Related posts

2 April 2024

27 March 2024

26 March 2024

22 March 2024

Simply fill in your details to request a free callback:

Sign up to our newsletter:.

• Email us at:

Follow us on

© 2022 Cyber Management Alliance.

• Privacy Policy

• SUGGESTED TOPICS
• The Magazine
• Newsletters
• Managing Yourself
• Managing Teams
• Work-life Balance
• The Big Idea
• Data & Visuals
• Reading Lists
• Case Selections
• HBR Learning
• Topic Feeds
• Account Settings
• Email Preferences

Share Podcast

Uber’s Strategy for Global Success

How can Uber adapt its business model to compete in unique global markets?

• Apple Podcasts
• Google Podcasts

As Uber entered unique regional markets around the world – from New York to Shanghai, it has adapted its business model to comply with regulations and compete locally. As the transportation landscape evolves, how can Uber adapt its business model to stay competitive in the long term?

Harvard Business School assistant professor Alexander MacKay describes Uber’s global market strategy and responses by regulators and local competitors in his case, “ Uber: Competing Globally .”

HBR Presents is a network of podcasts curated by HBR editors, bringing you the best business ideas from the leading minds in management. The views and opinions expressed are solely those of the authors and do not necessarily reflect the official policy or position of Harvard Business Review or its affiliates.

BRIAN KENNY: The theory of disruptive innovation was first coined by Harvard Business School professor Clayton Christensen in his 1997 book, The Innovator’s Dilemma . The theory explains the phenomenon by which an innovation transforms an existing market or sector by introducing simplicity, convenience, and affordability where complication and high cost are the status quo. Think Netflix disrupting the video rental space. Over the years, the term has been applied liberally and not always correctly to other examples, but every so often, an idea comes along that really fits the bill. Enter Uber, the ridesharing behemoth that turned the car service industry on its head. In a few short years after launching in 2010, Uber became the largest car service in the world, as measured in ride count. Last year, Uber drove 6.2 billion riders. Today’s case takes us to London in 2019, where Uber is facing the latest in a long list of challenges from regulators threatening their ability to continue operating in that important market. In this episode of Cold Call , we welcome Alexander MacKay to discuss the case entitled, “Uber: Competing Globally.” I’m your host, Brian Kenny, and you’re listening to Cold Call on the HBR Presents network.

Alexander MacKay is in the strategy unit at Harvard Business School. His research focuses on matters of competition, including pricing, demand, and market structure. Alex, thanks for joining us on Cold Call today.

ALEX MACKAY: Thank you, Brian. Very happy to be here.

BRIAN KENNY: The idea of Uber seems so simple, but it was revolutionary in so many ways. And Uber has been in the headlines many times for both good and bad reasons in its decade of existence. So we’re going to touch on a lot of those things today. So thanks for sharing the case with us.

ALEX MACKAY: Brian, I’m very happy to. It’s a little funny, we’ve actually started to see the first few students who have never hailed a traditional taxi in our classrooms. So I think increasingly, the contrast between the two is going to be pretty difficult for people to fully understand.

BRIAN KENNY: Let me ask you to start by telling us what your cold call would be when you set up the class here.

ALEX MACKAY: The case starts off with the current legal battle going on in London. And so the first question I just ask to start the classroom is: What’s the end game for Uber in London? What do they look like 10 years from now? In the midst of this ongoing legal battle, there has been back and forth, some give and take from both sides, Transportation for London, and also on the Uber side as well. And there’s actually a recent court case that has allowed Uber to have a little more time to operate. They bought about 18 more months of time, but this has been also brought with additional, stricter scrutiny, and 18 months from now, they’re going to be at it again trying to figure out exactly what rules Uber’s allowed to operate under.

BRIAN KENNY: It seems like 18 months in the lifetime of Uber is like a decade. Everything seems to happen so quickly for this company. That’s a long period of time. What made you decide to write this case? How does it relate to the work that you’re doing in your research?

ALEX MACKAY: A big focus of my research is on competition policy, particularly the realms of antitrust and regulation. And here we have a company, Uber, whose relationship with regulation has been really essential to its strategy from day one. And I think appreciating the effects of regulation and how its impact Uber’s performance in different markets, is really critical for understanding strategy and global strategy broadly.

BRIAN KENNY:  Let’s just talk a little bit about Uber. I think people are familiar with it, but they may not be familiar with just how large they are in this space. And the space that they’ve sort of created has also blown up and expanded in many ways. So how big is Uber? Like what’s the landscape of ridesharing look like and where does Uber sit in that landscape?

ALEX MACKAY: Uber globally is the biggest ridesharing company. In 2018, they had over $10 billion in revenue for both ridesharing and their Uber Eats platform. And you mentioned in the introduction, that they had over 6 billion rides in 2019. That’s greater than 15 million rides every day that’s happening on their platform. So really, just an enormous company.

BRIAN KENNY: So they started back in 2010. It’s been kind of an amazing decade of growth for them. How do you explain that kind of rapid expansion?

ALEX MACKAY: They were financed early on with some angel investors. I think Kalanick’s background really helped there to get some early funding. But one of the critical things that allowed them to expand early into many markets that helped their growth was they’re a relatively asset light company. On the ground, they certainly need sales teams, they need translation work to move into different markets, but because the main asset they were providing in these different markets was software, and drivers were bringing their own cars and riders were bringing their own phones, the key pieces of hardware that you need to operate this market, they really didn’t have to invest a ton of capital. In fact, when they launched in Paris, they launched as sort of a prototype, just to show, “Hey, we can do this in Paris without too much difficulty,” as their first international market. So being able to really scale it across different markets really allowed them to grow. I think by 2015, their market cap was $60 billion, five years after founding, which is just an incredible rate of growth.

BRIAN KENNY: So they’re the biggest car service in the world, but they don’t own any cars. Like what business are they really in, I guess is the question?

ALEX MACKAY: They’re certainly in the business of matching riders to drivers. They’ve been able to do this in a way that doesn’t require them to own cars, just through the use of technology. And so what they’re doing, and this is I think pretty well understood, is that they’re using existing capital, people who have cars that may be going unused, personal cars, and Uber is able to use that and deploy that to give riding services to different customers. Whereas in the traditional taxi model, you could have taxis that you didn’t necessarily own, but you leased them or you rented them, but they had the express purpose of being driven for taxi services. And so it wasn’t using idle capital. You kind of had to create additional capital in order to provide the services.

BRIAN KENNY: So you mentioned Travis Kalanick a little bit earlier, but he was one of the co-founders of the company, and the case goes a little bit into his philosophy of what expansion into new markets should look like. Can you talk a little bit about that?

ALEX MACKAY: Certainly. Yeah. And I think it might even be helpful to talk a bit about his background, which I think provides a little more context before Uber. He dropped out of UCLA to work on his first company, Scour, and that was a peer-to-peer file sharing service, a lot like Napster, and actually predated Napster. And where he was operating was sort of an evolving legal gray area. Eventually, Scour got sued for $250 billion by a collection of entertainment companies and had to file for bankruptcy.

BRIAN KENNY: Wow.

ALEX MACKAY: He followed that up with his next venture, Red Swoosh, and that was software aimed at allowing users to share network bandwidth. So again, it was a little bit ahead of its time, making use of recent advances in technology. Early on though, they got in trouble with the IRS. They weren’t withholding taxes, and there were some other issues with his co-founder, and there was sort of a bad breakup between the two. Despite this, he persevered and ended up selling the company for $23 million in 2007. And after that, his next big thing was Uber. So one thing I just want to point out is that at all three of these companies, he was looking to do something that leveraged new technology to change the world. And by nature, sometimes businesses like that operate in a legal gray area and you have very difficult decisions to make. Some other decisions you have to make are clearly unethical and there’s really no reason to make some of those decisions, like with the taxes and with some other things that came out later on at Uber, but certainly one of the things that any founder who’s looking to change the world with a big new technology company has to deal with, is that often, the legal framework and the regulatory framework around what you’re trying to do isn’t well established.

BRIAN KENNY: Obviously drama seems to follow Travis where he goes. And his expansion strategy was pretty aggressive. It was almost like a warlike mentality in terms of going into a new market. And you could sort of sum it up as saying ask forgiveness. Is that fair?

ALEX MACKAY: Yeah. Yeah. Ask for forgiveness, not permission. I think they were really focused on winning. I think that was sort of their ultimate goal. We describe in the case there’s this policy of principle confrontation, to ignore existing regulations until you receive pushback. And then when you do receive pushback, either from local regulators or existing sort of taxicab drivers, mobilize a response to sort of confront that. During their beta launch in 2010, they received a cease-and-desist letter from the city of San Francisco. And they essentially just ignored this letter. They rebranded, they used to be UberCab, and they just took “Cab” out of their name, so now they’re Uber. And you can see their perspective in their press release in response to this. They say, “UberCab is a first to market cutting edge transportation technology, and it must be recognized that the regulations from both city and state regulatory bodies have not been written with these innovations in mind. As such, we are happy to help educate the regulatory bodies on this new generation of technology and work closely with both agencies to ensure compliance.”

BRIAN KENNY: It’s a little arrogant.

ALEX MACKAY: Yeah, so you can see right there, they’re saying, what we’re operating in is sort of this new technology-based realm and the regulators don’t really understand what’s going on. And so instead of complying with the existing regulations, we’re going to try to push regulations to fit what we’re trying to do.

BRIAN KENNY: The case is pretty epic in terms of it sort of cuts a sweeping arc across the world, looking at the challenges that they faced with each market they entered, and none more interesting I think the New York City, which is obviously an enormous market. Can you talk a little bit about some of the challenges they faced going into New York with the cab industry being as prevalent as it was and is?

ALEX MACKAY: Yeah, absolutely. I mean, I think it’s pretty well known for people who are familiar with New York that there were restrictions on the number of medallions which allowed taxis to operate. So there was a limited number of taxis that could drive around New York City. This restriction had really driven up the value of these medallions to the taxi owners. And if you had the experience of taking taxis in New York City prior to the advent of Uber, what you’d find is that there were some areas where the service was very, very good. Downtown, Midtown Manhattan, you could almost always find a taxi, but there are other parts of the city where it was very difficult at times to find a cab. And when you got in a cab, you weren’t sure that you were always going to be given a fair ride. And so Uber coming in and providing this technology that allowed you to pick up a ride from anywhere and sort of track the route as you’re going on really disrupted this market. Consumers love them. They had a thousand apps signups before they even launched. Kalanick mentioned this in terms of their launch strategy, we have to go here because the consumers really want us here. But immediately, they started getting pushback from the taxicab owners who were threatened by this new mode of transportation. They argued that they should be under the same regulations that the taxis were. And there were a lot of local government officials that were sort of mobilized against Uber as well. De Blasio, the Mayor of New York, wrote opinion articles against Uber, claiming that they were contributing to congestion. There was a lot of concern that maybe they had some safety issues, and the taxi drivers and the owners brought a lawsuit against Uber for evading these regulations. And then later on, and this was the case in many local governments, de Blasio introduced a bill to put additional restrictions on Uber that would make them look a lot more like a traditional taxi operating model, with limited number of licenses and strict requirements for reporting.

BRIAN KENNY: And this is the same scenario that’s going to play out almost with every city that they go into because there is such an established infrastructure for the taxi industry in those places. They have lobbyists. They’re tied into the political networks. In some instances, it was revealed that they’ve been connected with organized crime. So not for the faint of heart, right, trying to expand into some of the biggest cities in the United States.

ALEX MACKAY: Absolutely. Absolutely. And what’s sort of fascinating about the United States is it’s actually a place where a company can engage in this battle over regulation on the ground. And de Blasio writes his opinion article and pushes forward this bill. Uber responds by taking out an ad campaign, over $3 million, opposing these regulations and calling out de Blasio. So again, we sort of have this fascinating example of Uber mobilizing their own lobbyists, their lawyers, but also public advertising to sort of convince the residents of New York City that de Blasio and the regulators that are trying to come down on them are in the wrong.

BRIAN KENNY: Yeah. And at the end of the day, it’s consumers that they’re really making this appeal to, because I guess my question is, are these regulations stifling innovation? And if they are, who pays the ultimate price for that, Uber or the consumer?

ALEX MACKAY: Consumers definitely loved Uber. And I don’t think any of the regulators were trying to stifle innovation. I don’t think they would say that. I think their biggest concern, their primary concern was safety, and a secondary and related concern here was losing regulatory oversight over the transportation sector. So this is a public service that had been fairly tightly regulated for a long time, and there was some concern that what happens when this just becomes almost a free market sector. At the same time, these regulators have the lobbyists from the taxicab industry and other interested parties in their ear trying to convince them that Uber really is like a taxi company and should be regulated, and really emphasizing the safety concerns and other concerns to try to get stricter regulations put on Uber. And part of that may be valid. I think you certainly should be concerned about safety and there are real concerns there, but part of it is simply the strategic game that rivals are going to play between each other. And the taxicab industry sees Uber as a threat. It’s in their best interest to lobby the regulators to come down on Uber.

BRIAN KENNY: And what’s amazing to me is that while all this is playing out, they’re not turning their tails and running. They’re continuing to push forward and expand into other parts of the world. So can you talk a little bit about what it was like trying to go into countries in Latin America, countries in Asia, where the regulations and the regulatory infrastructure is quite different than it is in the US?

ALEX MACKAY: In the case, we have anecdotes, vignettes, one for each continent. And their experience in each continent was actually pretty different. Even within a continent, you’re going to have very different regulatory frameworks for each country. So we sort of pick a few and focus on a few, just to highlight how the experience is very different in different countries. And one thing that’s sort of interesting, in Latin America, we focus on Bogota in Colombia, and what’s sort of interesting there is they launched secretly and they were pretty early on considered to be illegal, but they continue to operate despite the official policy of being illegal in Colombia. And they were able to do that in a way that you may not be able to do it so easily in the United States, just because of the different layers of enforcement and policy considerations that are present in Colombia and not necessarily in the United States. Now, when I talk about the current state of Uber in different countries, this is continually evolving. So they temporarily suspended their operations early in 2020 in Columbia. Now they’re back. This is a continual back and forth game that they’re playing with the regulators in different markets.

BRIAN KENNY: And in a place like Colombia, are they not worried about violence and the potential for violence against their drivers?

ALEX MACKAY: Absolutely. So this is true sort of around the world. I think in certain countries, violence becomes a little bit more of a concern. And what they found in Colombia is they did have more incidents where taxi drivers decided to take things into their own hands and threaten Uber drivers and Uber riders, sometimes with weapons. Another decision Uber had to make that was related to that was whether or not to allow riders to pay in cash. Because in the United States, they’d exclusively used credit cards, but in Latin America and some other countries like India, consumers tended to prefer to use cash to pay, and allowing that sort of opened up this additional risk that Uber didn’t really have a great system in place to protect them from. Because when you go to cash, you’re not able to track every rider quite as easily, and there’s just a bigger chance for fraud or for robbery and that sort of thing popping up.

BRIAN KENNY: Going into Asia was also quite a challenge for them. Can you talk a little bit about some of the challenges they faced, particularly in China?

ALEX MACKAY: They had very different experiences in each country in Asia. China was a unique case that is very fascinating, because when Uber launched there, there were already existing technology-based, you might call them, rideshare companies, that were fairly prominent, Didi and Kuaidi, And these companies later merged to be one company, DiDi, which is huge. It’s on par with Uber in terms of its global presence as a ridesharing company. When Uber launched there, they didn’t fully anticipate all the changes they would have to make to going into a very different environment. In China, besides having established competitors, Google Maps didn’t work, and they sort of relied on that mapping software to do their location services. So they had to completely redo their location services. They also, again, relied on credit cards for payments, and in China, consumers increasingly used apps to do their payments. And this became a little bit of a challenge because the main app that Chinese customers used, they used WeChat and Alipay primarily, they were actually owned by parent companies of the rival ridesharing company. So Uber had to essentially negotiate with its rivals in order to have consumers pay for their ridesharing services. And so here are a few sort of localization issues that you could argue Uber didn’t fully anticipate when they launched. The other thing about competing in China that’s sort of interesting is that Chinese policy regarding competition is very different from policy in the United States and much of Europe. For the most part, there’s not the traditional antitrust view of protecting the consumers first and foremost. That certainly comes into play, but the Chinese government has other objectives, including promoting domestic firms. And so if you think about launching into a company where there’s a large established domestic rival that certainly increases the difficulty of success, because when push comes to shove, the government is likely to come down on the side of your rival, which is the domestic company, and not the foreign entrant.

BRIAN KENNY: Yeah, which is understandable, I guess, to some extent. This sounds exhausting, to be sort of fighting skirmishes on all these fronts in all these different places in the world. How does that affect the morale or tear at the fabric maybe of the culture at a company like Uber, where they’re trying to manage this on a global scale and running into challenges every step of the way?

ALEX MACKAY: It certainly has an effect. I think Uber did a very good job at recruiting teams of people who really wanted to win. And so, if that’s the consistent message you’re sending to your teams, then these challenges may be actually considered somewhat exciting. And so I think by bringing in that sort of person, I think they actually fueled this desire to win in these markets and really kept the momentum going. One of the downsides of this of course is that if you exclusively focus on winning and getting around the existing regulations, there does become this challenge of what’s ethical and what’s not ethical? And in certain business areas, there actually often is a little bit of a gray line. I mean, you can see this outside of ridesharing. It’s a much broader thing to think about, but regulation of pharmaceuticals, regulation of use of new technologies such as drones, often the technology outpaces the regulation by a little bit and there’s this lag in trying to figure out what actually is the right thing to do. I think it’s a fair question whether or not you can disentangle this sort of principle of confrontation that’s so pervasive throughout the company culture when it comes to regulation from this principle confrontation of other ethical issues that are not necessarily business driven, and whether or not it’s easy to maintain that separation. And I think that’s a fair question, certainly worthy for debate. But what I think is important is you can set up a company where you are abiding by ethical issues that are very clear, but you’re still going to face challenges on the legal side when you’re developing a new business in an area with new technology.

BRIAN KENNY: That’s a great insight. I mean, I found myself asking myself as I got through the case, I can’t tell if Uber is the victim or the aggressor in all of this. And I guess the answer is they’re a little bit of both.

ALEX MACKAY: Yeah. I think it’s fair to characterize them as an aggressor, and I think you sort of need to be if you want to succeed and if you want to change the world in a new technology area. In some sense, they’re a victim in that we’re all the victim as consumers and as firms of regulations that are sometimes difficult to adapt in real time to changing market conditions. And there’s a good reason why they are sticky over time, but sometimes that can be very costly. Going back to something we talked about earlier, I think there are hardly any consumers that wanted Uber kicked out of New York City. I think everyone realized this was just so much superior to any other option they had, that they were really willing to fight to keep Uber around in the limited ways they could.

BRIAN KENNY: So let’s go back to the central issue in the case then, which is, how important is it to them, in terms of their global strategy, to have a presence in a place like London? They’re still not profitable by the way, we should point that out, that despite the fact that they are the largest in the space, they haven’t turned the corner to profitability yet. I would imagine London’s kind of important.

ALEX MACKAY: Absolutely. London is a key international city, and a presence there is important for Uber’s overall brand. So many people travel through London, and it’s a real benefit for anyone who travels to be able to use the same service at any city you stop in. At the same time, they’re facing these increasing regulatory pressures from London, and so it’s a real question whether or not, 10 years from now, they look substantially different from the established taxi industry that’s there. And you can kind of see this battle playing out across different markets. As another example, in Ghana. When they entered there, they actually entered with a framework for understanding. They helped build the regulations for ridesharing services in Ghana when they entered. But over time, that evolved to additional restrictions as the existing taxi companies pushed back on them. So I think a key lesson here in all of this is that the regulations that you see at any given point in time aren’t absolutely fixed, for anyone starting a technology-based company, there will be regulations that do get created that affect your business. Stepping outside of transportation, we can see that going on now with the big tech firms and sort of the antitrust investigations they’re are under. And the policymakers in the US and Europe are really trying to evolve the set of regulations to reflect the different businesses that Apple, Facebook, Microsoft, Google are involved in.

BRIAN KENNY: One thing we haven’t touched on, and it’s not touched on in the case obviously because it just sort of started fairly recently, is the pandemic and the implications of the pandemic for the rideshare industry as fewer people find themselves in need of going anywhere. Have you given any thought to that and whether that’s going to have any effect on the regulations?

ALEX MACKAY: It certainly could. Uber is in a somewhat fortunate position, at least if you judge by their market capitalization, with respect to the pandemic. Initially their stocks took a pretty big hit, but rebounded pretty quickly, and part of this is because the primary part of their business is the transportation through Uber X, but they do also offer the delivery services through Uber Eats, and that business has really picked up during this pandemic. There’s certainly a mix of views about the future, but I think most people do believe that at some point we’ll get back to business as usual, at least for Uber services, when we come up with a vaccine. I think most people anticipate that they’ll be resuming use of Uber once it becomes safe to do so. And I think, to be frank, a lot of people already have resumed using Uber, especially people who don’t have cars or who see it as a valuable alternative or a safer alternative to public transit.

BRIAN KENNY: Yeah, that’s a really good point. And the Uber Eats thing is interesting as another example of how it’s important for businesses to re-imagine the business that they’re in because that, in many ways, may be helping them through a really tough patch here. This has been a really interesting conversation, Alex, I want to ask you one final question, which is, as the students are packing up to leave class, what’s the one thing you want them to take away from the case?

ALEX MACKAY: So I would hope the students take away the importance of regulation in business strategy. And I think the case of Uber really highlights that. And if you look at the conversation around Uber I’d say for the first 10 years of their existence, it was essentially around the superiority of their technology and not so much how they handled regulation. If you think back to the cease-and-desist letter that San Francisco issued in 2010, if Uber had simply stopped operations then, we wouldn’t have the ridesharing world that we have today. So their strategy of principle confrontation with respect to regulation was really essential for their future growth. Again, this does raise important ethical considerations as you’re operating in a legal gray area, but it’s certainly an essential part of strategy.

BRIAN KENNY: Alex, thanks so much for joining us on Cold Call today. It’s been great talking to you.

ALEX MACKAY: Thank you so much, Brian.

BRIAN KENNY: If you enjoy Cold Call, you might like other podcasts on the HBR Presents Network. Whether you’re looking for advice on navigating your career, you want the latest thinking in business and management, or you just want to hear what’s on the minds of Harvard Business School professors, the HBR Presents Network has a podcast for you. Find them on Apple podcasts or wherever you listen. I’m your host, Brian Kenny, and you’ve been listening to Cold Call , an official podcast of Harvard Business School on the HBR Presents Network.

• Subscribe On:

Latest in this series

This article is about competitive strategy.

• Global strategy
• Government policy and regulation

Partner Center

• International edition
• Australia edition
• Europe edition

Uber concealed massive hack that exposed data of 57m users and drivers

• Firm paid hackers $100,000 to delete data and keep breach quiet
• Chief security officer Joe Sullivan fired for concealing October 2016 breach

Uber concealed a massive global breach of the personal information of 57 million customers and drivers in October 2016, failing to notify the individuals and regulators, the company acknowledged on Tuesday.

Uber also confirmed it had paid the hackers responsible $100,000 to delete the data and keep the breach quiet, which was first reported by Bloomberg .

“None of this should have happened, and I will not make excuses for it,” Uber’s chief executive, Dara Khosrowshahi, said in a statement acknowledging the breach and cover-up. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

A timeline of Uber's terrible year

Uber’s decision to lift surge pricing during a New York taxi drivers’ work stoppage in protest of the Trump travel ban prompts a  viral #DeleteUber campaign .

Former Uber engineer Susan Fowler  publishes a blog post  with allegations of widespread sexual harassment and gender discrimination. 

The New York Times exposes Uber’s use of  Greyball , a tool to systematically deceive authorities in cities where Uber was violating local laws.

Uber admits it has for years been  underpaying New York City drivers  by tens of millions of dollars. 

Uber  fires 20 employees  following the conclusion of an investigation into sexual harassment and workplace culture. 

Uber is  sued by an Indian passenger  who was raped by an Uber driver after reports reveal that a top executive had obtained the woman’s medical records, allegedly in order to cast doubt upon her account.

CEO Travis Kalanick  resigns .

The  Wall Street Journal  reports that Uber had rented fire-prone cars to drivers in Singapore, despite knowing that the vehicles had been recalled over serious safety concerns. 

Uber  loses its license to operate in London  due to a lack of corporate responsibility. The company is appealing the decision.

Uber  admits concealing  a 2016 breach that exposed the data of 57 million Uber customers and drivers, failing to disclose the hack to regulators or affected individuals. The company paid a $100,000 ransom to the hackers to destroy the information and keep the breach quiet.

Hackers stole personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States. The company said more sensitive information, such as location data, credit card numbers, bank account numbers, social security numbers, and birth dates, had not been compromised.

In his statement, Khosrowshahi said the company had “obtained assurances that the downloaded data had been destroyed” and improved its security, but that the company’s “failure to notify affected individuals or regulators” had prompted him to take several steps, including the departure of two of the employees responsible for the company’s 2016 response.

Uber’s chief security officer, Joe Sullivan, was one of the two employees who left the company, Bloomberg reported.

The company’s failure to disclose the breach was “amateur hour”, said Chris Hoofnagle of the Berkeley Center for Law and Technology. “The only way one can have direct liability under security breach notification statutes is to not give notice . Thus, it makes little sense to cover up a breach.”

Under California state law, for example, companies are required to notify state residents of any breach of unencrypted personal information, and must inform the attorney general if more than 500 residents are affected by a single breach.

“The hack and the cover-up is typical Uber only caring about themselves,” said Robert Judge, an Uber driver in Pittsburgh, who said he had yet to receive any communication from the company. “I found out through the media. Uber doesn’t get out in front of things, they hide them.”

Uber said in a statement to drivers that it would offer those affected free credit monitoring and identity theft protection.

According to Bloomberg, the breach occured when two hackers obtained login credentials to access data stored on Uber’s Amazon Web Services account. Paul Lipman, CEO of cybersecurity firm BullGuard, said that the fact that the data was being stored unencrypted was “unforgivable”.

“That’s just a complete misstep from an information security viewpoint,” he added.

The New York state attorney general’s office has opened an investigation into the data breach, a spokeswoman confirmed.

Uber’s potential civil liability from the breach is complicated by the fact that the United States’ various federal appellate courts are divided over how to treat data breach lawsuits. Some courts allow individuals to join class action lawsuits if they are simply at greater risk of having their identities stolen due to a breach, while other courts require plaintiffs to show that their personal information has actually been misused.

In June, health insurer Anthem settled litigation over a 2015 breach affecting 79 million people for a record $115m.

“Non-disclosure creates a practical risk in the hundreds of millions,” said Hoofnagle, who noted that companies can pay third parties to handle the fallout from a security breach – including notifications – for fees in the tens of millions. “Here’s the good news: drivers will finally squeeze money out of Uber.”

The hack and subsequent concealment is just the latest in a string of scandals and crises that Khosrowshahi inherited from his predecessor, Travis Kalanick, who was forced out of the $68bn startup in June.

The year started out with the trend-setting #DeleteUber viral boycott campaign , which arose after the company was accused of exploiting a New York taxi drivers’ work stoppage protesting against Trump’s travel ban.

Then in February, former employee Susan Fowler published a blogpost alleging a pervasive culture of gender discrimination and sexual harassment at the company.

The next month saw a New York Times report that for years Uber had been running a secret program to systematically deceive law enforcement officials in cities where its service violated regulations. Officials attempting to hail an Uber during a sting operation were “greyballed”; they might see icons of cars within the app navigating nearby, but no one would pick them up.

Fowler’s blogpost prompted Uber to commission an investigation of its workplace culture, and led to a public airing of the startup’s considerable dirty laundry. The company had soared to its position as the highest-value startup and dominant ride-hail app by defying rules and regulations, but the post-Fowler reckoning saw at least 20 employees fired and the company acknowledge that it needed to change. It also led to the eventual ousting of Kalanick himself.

Khosrowshahi displayed the new conciliatory style in September when Transport for London decided not to renew its license to operate in London. “We’ve got things wrong along the way,” the CEO said at the time . “On behalf of everyone at Uber globally, I apologise for the mistakes we’ve made.”

Most viewed

The Uber Breach Case Study: Cybersecurity Lessons Learned

Industry: Personal transportation industry

Uber, a global transportation technology company that has revolutionized the way people travel, work, and connect in the modern world. Founded in 2009, Uber has rapidly grown to become one of the most recognizable and disruptive brands in the transportation and technology industry.

How Did the Data Breach Occur?

Uber, a globally recognized ride-sharing and technology company experienced a data breach, as a result of a sophisticated cyberattack. The attack was orchestrated by a hacker affiliated with the hacking group known as Lapsus$ . The breach was identified on September 19, 2022, at 10:45 am PT, as reported by the Uber Team via their official newsroom.

The breach unfolded as follows:

• Compromised Contractor Account : An external contractor working with Uber had their account compromised by the attacker. The attacker likely gained access to the contractor’s Uber corporate password through illicit means, potentially purchasing it on the dark web.
• Malware Infection : The contractor’s personal device became infected with malware, which exposed their login credentials. This breach provided the attacker with a significant foothold.
• Repetitive Login Attempts : The attacker repeatedly attempted to log in to the contractor’s Uber account. Initially, these attempts were blocked by two-factor authentication (2FA), as the contractor received approval requests. Eventually, the user accepted one of those requests, allowing the attacker to successfully access the account. A classic example of Social Engineering where human error was caused as a result of MFA fatigue.
• Elevation of Privileges : Once in, the attacker leveraged this compromised account to access other employee accounts. This enabled them to gain elevated permissions, including access to vital tools such as G-Suite and Slack.
• Message Post and Configuration Change : The attacker posted a message on a company-wide Slack channel, informing employees about their successful intrusion. They also reconfigured Uber’s OpenDNS to display a graphic image on some internal sites, affecting employees’ access.

What Was Compromised?

The Uber data breach, which saw the compromise of their Privileged Access Management (PAM) platform, has had far-reaching consequences, critically impacting the company’s security posture. The breach revealed the severity of the incident, as it potentially granted the attacker access to multiple internal systems and services that Uber relies on.

The list of systems that were compromised:

• Thycotic (PAM)
• Google Workspace Admin
• AWS Instance
• SentinelOne (XDR)
• VMware vSphere
• Slack Workspace
• UberInternal Financial Data

What was the Impact of the Data Breach as a Whole?

The impact of the Uber data breach was massive. Here’s an impact analysis of the breach:

• Data Exposure : The attacker gaining admin access to the Thycotic PAM system was a severe blow to Uber’s security. Privileged Access Management or PAM tools are designed to secure, control, and monitor access to critical information and resources. With access to Thycotic, the attacker unlocked a treasure of sensitive credentials and passwords, compromising the security of various Uber systems.
• Data Exposure : The hacker having administrative access to Uber’s Google Workspace raised concerns about the potential exposure of sensitive corporate documents, emails, and communication records.

• Security Vulnerabilities : Unauthorized access to Uber’s AWS services posed a significant security risk, potentially allowing the hacker to manipulate or exfiltrate data.

• Network Vulnerability : Access to Uber’s firewall could have enabled the hacker to manipulate network traffic, compromise communication channels, and potentially gain deeper access to the company’s systems.

• On-Premise Server Risk : The attacker could potentially infiltrate on-premise servers, jeopardizing data security, executing unauthorized commands, and moving laterally through Uber’s infrastructure.
• Cloud Resource Manipulation : Administrative access enabled the attacker to manipulate cloud resources, potentially disrupting services, misusing computing power, and impacting critical system availability.

• Communication Exposure : Gaining access to Uber’s Slack workspace jeopardized the privacy of internal communications. Messages exchanged on Slack, including sensitive discussions and file sharing, might have been compromised.

• Detailed Vulnerability Information: HackerOne is a platform used by organisations to compensate and collaborate with security researchers who identify vulnerabilities in systems, offering rewards for their contributions. The severity of this breach is underscored by the amount of detailed information often provided by security researchers. Access to the HackerOne account could have exposed these detailed “how-to” guides on exploiting vulnerabilities within Uber’s IT systems.

• Financial Risk : Access to Uber’s financial data posed significant financial risks. The breach may have exposed sensitive financial information, making it susceptible to misuse or extortion.

How organisations can protect against incidents like the Uber data breach?

Social engineering was the root cause of the Uber breach, and in this instance, MFA Fatigue allowed the hacker to gain access. With the continuous advancement of AI, hackers and their tactics are growing more sophisticated every day. Traditional security awareness and training methods are no longer sufficient. Organizations must shift their focus towards bringing behavioural change by influencing users’ psychology. Smart, gamified learning holds the key.

• Network Isolation : Organizations can minimize the impact of a breach by segregating their networks into separate segments. This strategy will help contain potential intrusions, limiting the lateral movement of attackers within the network.
• Access Control : Apply the principle of least privilege. Implementing network segmentation ensures that employees and systems only have access to the resources and data required for their roles, reducing the attack surface for potential breaches.
• Granular Control : Robust PIM/PAM solutions grant organizations the ability to control, monitor, and secure privileged identity and access to critical systems. This includes the enforcement of strong access policies, multi-factor authentication, and continuous monitoring of privileged accounts.
• Audit Trails : Keeping detailed audit trails helps organizations track privileged access and detect unusual activity, enabling swift responses to potential breaches.
• Smart Adaptive Training and Awareness : Humans are the most attacked vectors and, organizations must invest in gamified employee training and awareness programs. This not only involves running advanced phishing simulations but also, educating staff about phishing threats, best practices, and making them suspicious by nature.
• Continuous Monitoring : What you can measure, you can manage! Implement tools that continuously assess and monitor employees’ behaviour to detect unusual patterns and potential insider threats.
• Build the culture of reporting : Establish a company-wide culture that prioritizes security and encourages employees to be vigilant. Encourage and enable them to report suspicious activities with 1 click, fostering a collaborative approach to cybersecurity.
• Clear Policies and Reporting Mechanisms : Ensure that employees understand company security policies, know how to easily and seamlessly report incidents, and feel supported in doing so.
• Automate and Gamify the Learning Experience : There are over 20,000+ types of attack scenarios. You cannot train your employees for all. Instead, you can make them suspicious by nature by altering their psychology. It’s crucial to both automate and gamify the learning experience in order to alter the psychology. Automation ensures that employees receive timely and relevant training, staying up-to-date with the ever-evolving threat landscape. By introducing gamification elements, learning becomes engaging and competitive, motivating participants to enhance their security awareness.
• Seeing is believing : Conducting live hack show demonstrations is essential for organizations to provide a hacker’s perspective and help users understand just how vulnerable they can be to cyberattacks. It can help them to stay motivated not only to protect the organisation but also, to ensure vigilance for their personal safety.

The crucial lesson from this Uber breach is that in today’s evolving cybersecurity landscape, continuous training and putting people at the centre of security are paramount. Human error, often unintentional, can lead to dire consequences, making it crucial for organizations to invest in robust security awareness training. It’s not just about technology; it’s about bringing the culture of security and ensuring that employees are well-prepared and enabled to recognize & respond to threats efficiently. This human-centric approach is key to preventing cyberattacks and safeguarding sensitive data.

• Bahasa Indonesia
• Sign out of AWS Builder ID
• AWS Management Console
• Account Settings
• Billing & Cost Management
• Security Credentials
• AWS Personal Health Dashboard
• Support Center
• Expert Help
• Knowledge Center
• AWS Support Overview
• AWS re:Post

Customer Success Stories

Empowering customer innovation.

Automating the app-testing process and reducing costs

Transforming automotive experiences using AWS

Democratizing access to compute insights

Powering patient-centered care using AWS

Rewatch Customer Stories from AWS Events

Bmw group powers 1,000+ microservices that process over 12 billion requests daily—while achieving 99.95 percent reliability..

In this re:Invent keynote, Stephan Durach, Senior Vice president Connected Company Development and Technical Operations at BMW Group, discusses how the company uses Amazon Web Services (AWS) technology to transform automotive experiences.

Intuit uses cutting-edge technology to deliver highly personalized customer experiences

In this AWS re:Invent 2023 keynote video, Nhung Ho, vice president of AI at Intuit, discusses how the company is using AWS to drive major advancements in financial technology using generative AI.

Booking.com uses AWS to power emerging generative artificial intelligence (AI) technology at scale

In this AWS re:Invent 2023 keynote video, Rob Francis, senior vice president and chief technology officer at Booking.com, discusses how the company uses AWS to revolutionize the travel industry.

AWS brings NVIDIA GH200 Grace Hopper Superchip to the cloud

In this AWS re:Invent keynote, Jensen Huang, founder and CEO of NVIDIA, chats with AWS CEO Adam Selipsky to discuss how NVIDIA and AWS are working together to enable millions of developers to access powerful technologies needed to rapidly innovate with Generative AI.

Listen to Customers Working to Solve Today's Largest Challenges

Hear how Anthropic and AWS are working together to responsibly deploy generative AI with a focus on safe, steerable, and reliable solutions.

Learn how Pfizer used generative AI to achieve the scale necessary to treat more than 1.3 billion people with medicines and vaccines in 2022.

Watch how Thorn leveraged AWS's capabilities to enhance their machine learning tools to identify over 2.8 million potential child sexual abuse material files.

Find an AWS Customer Story

• Recently Added
• Company Name (A-Z)
• Company Name (Z-A)
• Headline (a-z)
• Headline (z-a)

No customer references found matching that criteria. Try changing your search or modifying your filters.

Browse more customer stories »

More to explore

# Screens < wide

Ending Support for Internet Explorer

• Share full article

Advertisement

Supported by

Uber Investigating Breach of Its Computer Systems

The company said on Thursday that it was looking into the scope of the apparent hack.

By Kate Conger and Kevin Roose

Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack.

The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.

“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”

An Uber spokesman said the company was investigating the breach and contacting law enforcement officials.

Uber employees were instructed not to use the company’s internal messaging service, Slack, and found that other internal systems were inaccessible, said two employees, who were not authorized to speak publicly.

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach.” The message went on to list several internal databases that the hacker claimed had been compromised.

The hacker compromised a worker’s Slack account and used it to send the message, the Uber spokesman said. It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees.

The person who claimed responsibility for the hack told The New York Times that he had sent a text message to an Uber worker claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems, a technique known as social engineering.

“These types of social engineering attacks to gain a foothold within tech companies have been increasing,” said Rachel Tobac, chief executive of SocialProof Security. Ms. Tobac pointed to the 2020 hack of Twitter, in which teenagers used social engineering to break into the company. Similar social engineering techniques were used in recent breaches at Microsoft and Okta.

“We are seeing that attackers are getting smart and also documenting what is working,” Ms. Tobac said. “They have kits now that make it easier to deploy and use these social engineering methods. It’s become almost commoditized.”

The hacker, who provided screenshots of internal Uber systems to demonstrate his access, said that he was 18 years old and had been working on his cybersecurity skills for several years. He said he had broken into Uber’s systems because the company had weak security. In the Slack message that announced the breach, the person also said Uber drivers should receive higher pay.

The person appeared to have access to Uber source code, email and other internal systems, Mr. Curry said. “It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life,” he said.

In an internal email that was seen by The New York Times, an Uber executive told employees that the hack was under investigation. “We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” wrote Latha Maripuri, Uber’s chief information security officer.

It was not the first time that a hacker had stolen data from Uber. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete their copy of the data. Uber arranged the payment but kept the breach a secret for more than a year.

Joe Sullivan, who was Uber’s top security executive at the time, was fired for his role in the company’s response to the hack. Mr. Sullivan was charged with obstructing justice for failing to disclose the breach to regulators and is currently on trial.

Lawyers for Mr. Sullivan have argued that other employees were responsible for regulatory disclosures and said the company had scapegoated Mr. Sullivan.

Kate Conger is a technology reporter in the San Francisco bureau, where she covers the gig economy and social media. More about Kate Conger

Kevin Roose is a technology columnist and the author of “Futureproof: 9 Rules for Humans in the Age of Automation.” More about Kevin Roose

A Guide to Digital Safety

A few simple changes can go a long way toward protecting yourself and your information online..

A data breach into your health information  can leave you feeling helpless. But there are steps you can take to limit the potential harm.

Don’t know where to start? These easy-to-follow tips  and best practices  will keep you safe with minimal effort.

Your email address has become a digital bread crumb that companies can use to link your activity across sites. Here’s how you can limit this .

Protect your most sensitive accounts by creating unique passwords and adding extra layers of verification .

There are stronger methods of two-factor authentication than text messages. Here are the pros and cons of each .

Do you store photos, videos and important documents in the cloud? Make sure you keep a copy of what you hold most dear .

Browser extensions are free add-ons that you can use to slow down or stop data collection. Here are a few to try.

Top 12 AWS services for building an Uber-like location-based startup

On-demand economy – also known as 'gig economy' or 'sharing economy' – is constantly growing and expected to generate half the sales revenue ($335bn) in the sectors with yet-prevalent traditional operating models by 2025, according to the PwC study .

With the likes of Uber, Lyft, Airbnb, and Netflix expanding further and further, more startups try to challenge the industry leaders or adapt their business models to yet-unconquered markets. Succeeding in these endeavours requires thorough software development planning and preparation for rapid scalability, should you decide to actually have a go at battling the titans with their access to 'unlimited' capital.

If the above is your goal – read on, as today we’ll focus on developing a mobility startup, specifically one of its crucial elements – the infrastructure. For the simplicity of explanation, let’s take building an Uber-like app as our example.

Cloud vs on-premise

To begin, let’s lay out the foundation. Should you go for a cloud or an on-premise hosting? Both solutions, obviously, have their own pros and cons, but as we are a startup company, going for the cloud-based option will help us save the cost of setting up and running a feasible on-premise solution.

As RST is an official AWS consulting partner, I have access to our certified cloud architects and had a chance to speak with our Chief Cloud Solutions Officer – Marek Ziółkowski , whose knowledge and expertise will help me guide you through the process of understanding what is required from the infrastructure perspective to face rapid scalability and growth of your business.

Frontend for an Uber-like app

Let’s start with the frontend of your application. In most cases, it is represented by a static web or mobile screen, meaning you don’t need to re-render what is being shown on the screen each time someone uses your application. All the interactive parts, eg navigating a map, will be done by embedding an external service, be it your custom-built one or via third-party APIs. This leaves us a fairly simple task to fulfil.

Amazon Simple Storage Service (Amazon S3) , simply put, is your cloud storage that offers industry-leading scalability, data availability, security, and performance features and should be used for hosting your static applications’ frontend.

Not much to add here, to be honest with you. It’s as simple as it gets. Obviously, we could dive deeper into the process of properly setting up an S3-based storage, but that would make this article too technical for the purpose of giving you an overview of what is needed for Uber-like app development, so let’s leave it for later.

Compute platform for an Uber-like app

The compute part of your application is where it gets sliiiightly complicated.

First, we need someplace to host our infrastructure. There are two options.

Amazon Elastic Compute Cloud (Amazon EC2) is the simplest and yet broadest compute platform offered by Amazon – in other words – your virtual server. Amazon gives you full access to your EC2 instances, just as if you would have with a regular on-premise server.

Here’s what it means:

• you don’t want to build a cloud-native application ( which we do recommend building, by the way );
• you want to have access to the server’s OS;
• you want to access the console terminal;
• you either don’t plan to scale rapidly or you have access to DevOps engineers who will be able to configure everything properly;
• you plan to have a stable and predictable resource usage and want to reserve instances for a longer time-frame, which will lower your costs; or
• you don’t want to vendor lock-in yourself with AWS and want to be able to migrate when required.

AWS Fargate

AWS Fargate is Amazon’s serverless, pay-as-you-go compute engine that allows you to ignore an entire process of dealing with your own servers, whether virtual or not, and focus on developing your app instead. To be completely honest with you, Fargate is the solution we usually advise to go with , unless you have a very specific case, which an Uber-like app isn’t. Why?

• Fargate removes the operational overhead of scaling, patching, securing, and managing servers;
• it automatically scales your compute infrastructure according to the actual usage;
• if your user traffic suddenly peaks due to an ongoing marketing campaign, you don’t need to prepare beforehand; and
• if your app usage drops at night or during working hours, you don’t have to pay for the idle servers.

Now, let’s think about containerization of our application. AWS offers two services, and it’s up to you and your dev team to decide for which to go, as both solutions are equally good for the given task. Let’s look at both ECS and EKS (both are compatible with AWS Fargate and EC2).

Amazon Elastic Container Service (Amazon ECS) is Amazon’s own fully-managed container orchestration service that takes care of deploying, managing and scaling of your containerized applications.

It makes sense to go for this service if:

• you're going to use other AWS services for hosting your application, like the aforementioned S3, and you don’t particularly care about the vendor lock-in with AWS; and
• you don’t want to worry about having to set up everything on your own and would rather utilize proven solutions.

Amazon Elastic Kubernetes Service (EKS) is a managed container service that allows you to run and scale Kubernetes-based applications with your AWS infrastructure.

It’s worth going for EKS if:

• you don’t want to vendor lock-in with AWS and want to be able to run your app or its elements with Kubernetes on-premise or within other cloud providers (this approach is called ‘multi-cloud’, if you’d like to search more about it); or
• your team already has Kubernetes competencies and you don’t want to switch technologies.

Data storage services for an Uber-like app

Okay, we’ve sorted out the computing piece. Now we need to figure out how to store our data, which in the case of an Uber-like application requires specific solutions compatible with location-based services.

Amazon Relational Database Service (RDS) is a collection of managed database services which we’ll use to host our database. It’s compatible with the seven most popular engines, and most importantly, with the one we’re going to need in our case.

Amazon RDS for PostgreSQL + PostGIS

Because our location-based application needs to operate on geodata, PostGIS is an extension for PostgreSQL that enables storing and managing of various spatial information, eg polygons, geographic lines and coordinates, geometric figures etc. PostgreSQL also supports libprotobuf 1.3.0 – a library used by PostGIS to deal with map box vector tile data.

It’s also worth taking into consideration it’s best to create a separate database with installed PostGIS extension that will handle your map-related data alongside your regular PostgreSQL database.

Amazon S3 Glacier

Amazon S3 Glacier is a storage class designed specifically for data archiving, be it your logs, backups, or some actual data archives. The main principle is that you shouldn’t need to have instant access to those files. Which, in turn, will allow you to significantly reduce your storage costs for long-term digital preservation and rarely-accessed data.

Amazon CloudFront

Amazon CloudFront is a content delivery network (CDN) that is built to reduce latency and increase the performance of your application in various regions around the world. In simple terms, it caches contents of your app and when a user in Australia runs it, instead of requesting the content within your server region. Let’s say you’re based in the US, the request goes to Amazon’s Australian CDN and receives what the user needs in a fraction of the Australia-US latency.

This is extremely useful if you’re planning to operate in multiple locations around the globe, as it not only provides better experience to the end-user but also reduces your costs.

Location-based services for an Uber-like app

Not the last and definitely not the least, building an Uber-like startup heavily relies on proper usage of location-based services. There are plenty of various third-party map providers, and building everything from scratch would be a suicide mission from any logical standpoint, so you’ll need to select an option that works best with your planned location based features.

In our previous articles, we’ve compared the most commonly used ones, ie Google Maps, Mapbox and OpenStreetMap. If you haven’t had a chance to check it, please follow the links to the map APIs comparison as well as their pricing models .

But, as we’re looking at the services provided by Amazon, it’s worth noting that they also have their own tools for building Uber-like apps.

Amazon Location Service

Amazon Location Service is a set of solutions that natively integrate with the rest of your AWS-based services and provide plenty of ways to generate and process location data out-of-the-box.

That means you can use ALS if you want to:

• track your assets (which would be your fleet in our Uber-like app);
• coordinate delivery tracking (which can also be understood in a sense of moving passengers from one location to another with push notifications once you enter the geo-fenced region of passenger’s proximity etc.);
• implement routes optimization for point-to-point navigation (perfect for offering an on-demand taxi service); or
• use it for user engagement and geomarketing (special discount for app users at an airport).

Geospatial data is provided to Amazon from well-established global providers such as Esri and HERE, so you don’t have to worry about getting good geographic coverage and geodata accuracy.

If your Uber-like application requires custom data layers or map features altogether, you can easily integrate third-party solutions or build your own location-based services using OpenStreetMap, for instance. We used the latter for one of our largest clients – Trans.eu ( here’s our case study ) – the leading logistics platform in Europe and Asia.

Analytics tools for an Uber-like app

Your app is up and running. You want to keep tabs on both app’s performance and business growth. Here’s what you can get from Amazon’s offer.

Amazon CloudWatch

Amazon CloudWatch is a monitoring and observability service that provides your dev team with insights into your Uber-like app’s performance, whether we speak of system-wide metrics or just your infrastructure resources utilization.

While you, as a business founder, might not be able to fully understand the scope of provided analytics data, it’s important to have it set up from the beginning, so it’s both easier to optimize your system and quickly pinpoint any existing issues.

Amazon QuickSight

Amazon QuickSight is what you might find a lot more interesting and aligned with your field of responsibility. QuickSight is one of the most popular cloud-native, serverless business intelligence (BI) tools.

As it was in the case of Fargate, QuickSight is also an auto-scaling, pay-as-you-go service that allows you to connect all your data sources within one place for complex analysis. A customizable dashboard provides you only with the data that matters to you and integrated machine learning algorithms can detect anomalies, forecast business metrics as well as perform interactive what-if analyses.

If you store all of your data inside the suggested above RDS and S3 storages, QuickSight also provides you with native integrations and granular access control.

Sum-up of the best AWS tools for building an on-demand delivery app

As you can see, Amazon Web Services offer a plethora of tailored solutions that can easily power your Uber-like startup, from its initial software development stages to further improvements, analysis, rapid scalability and world-wide availability.

• Amazon S3 – best for hosting your static frontend: websites, web and mobile applications;
• Amazon EC2 – the best cloud server for your backend, especially if you want to avoid vendor lock-in, but requires an experienced development team for proper setup and maintenance;
• AWS Fargate – the best serverless solution for your cloud-native application that offers pay-as-you-go pricing model, requires no deep DevOps expertise and is best for rapid scalability due to its auto-scaling infrastructure;
• Amazon ECS – Amazon’s own containerization service, best if you’re going to use more AWS-powered services in your Uber-like app;
• Amazon EKS – Amazon’s solution for Kubernetes-based containers, best if you’re trying to avoid vendor lock-in or have extensive prior experience with Kubernetes;
• Amazon RDS – your go-to choice of database storage;
• PostgreSQL + PostGIS – the best choice for storing your geospatial data with increased performance and computation abilities;
• Amazon S3 Glacier – the cheapest storage option for secure data archiving;
• Amazon CloudFront – the best CDN service for low-latency access to your app from anywhere in the world;
• Amazon Location Service – a set of tools designed specifically for building location-based startups that offer cost-effective location-based services (LBS) out-of-the-box;
• Amazon CloudWatch – the monitoring tool of your choice that provides your dev teams with crucial information about your system’s performance and existing issues, should such appear; and
• Amazon QuickSight – the best cloud-native BI solution that can enhance your decision-making processes with real-time business data and machine learning-powered analysis.

These are essential for your technology stack if you want to build a successful location-based startup. Here's an infographic, if you'd like to download it and keep it for later. ;)

If you’re not sure whether the above applies to your specific case, feel free to drop me a line at [email protected] , and I’ll match you with our certified AWS lead architects who’ll be able to advise you on the proper way of approaching your situation. And that’s about it for today. Till the next one!

People also ask

Want to read more.

10 German mobility startups and companies shaping the future of urban transportation

Electric Vehicle Routing - the ultimate guide to the best EV navigation providers

Automotive HMI design and development: how to build a digital cockpit

Browser not supported

This probably isn't the experience you were expecting. Internet Explorer isn't supported on Uber.com. Try switching to a different browser to view our site.

Leading the pack: an exclusive interview with Uber’s Chief Barketing Officer

Imagine the corporate world as a giant dog park 🐾, where innovation fetches 🎾 success and the mailman isn’t the only one running in circles. In the midst of this, there’s a tail-wagging disruptor 🐕 making paw-sitive changes, one bark 🗣️ at a time. 

Meet Teddy, Uber’s Chief Barketing Officer. With a nose 👃 that can sniff out trends faster than you can say “squirrel!” 🐿️ and loyalty that puts human’s best friend to shame, Teddy is more than just an employee; he’s the leader of the pack 🐺. 

From negotiating treats 🦴 to chasing the company’s KPIs (Kibble Performance Indicators), Teddy’s day is a fur-filled adventure 🌳 in marketing like no other.

Let’s dig into his story.

As Uber’s Chief Barketing Officer, what does your typical day look like?

It starts with a morning sniff-around the office to greet my team 🐾. I believe in leading by example, so I ensure everyone feels welcomed. My day is packed with meetings 📊, from discussing pawlicies to strategizing our next big fetch in the market. And yes, plenty of zoomies around the office to keep the energy high!

Favorite Uber benefit? 

I love that I can bring my human to the office everyday. It’s great socialization time for her with the other humans! And oh, I must howl about another fantastic perk—the free snacks at reception! Yum yum yum.

How do you contribute to Uber’s growth and success? 📈

My role is all about sniffing out the best opportunities and marking our territory in the market. I use my keen sense of smell to guide the team towards unexplored avenues and dig up hidden gems 💎. My barketing strategies are all about loyalty and creating a fetching experience for our users.

What’s the most rewarding part of your job? 🏆

Seeing the impact of our team’s hard work. Whether it’s the joy of a successful campaign or the wagging tails of our satisfied customers, knowing we’ve made a difference is truly rewarding. Also, the belly rubs after a job well done are pretty great too! 🤗

How do you keep your paw on the pulse of the latest trends? 💡

Staying ahead of the pack requires constant vigilance and a curious nose. I attend dog parks (networking events) and keep my ears perked up during walks. It’s all about staying connected to our community and listening to their needs and barks.

Favorite Uber value?

That’s easy! Go fetch it. As the Chief Barketing Officer here at Uber, Go fetch it isn’t just my daily mantra; it’s how I approach every challenge and opportunity with my tail wagging and eyes on the prize. Whether I’m chasing down innovative solutions or fetching the next big idea, my goal is always to bring it back and lay it proudly at the paws of my team, proving that with a champion’s sniffset, every fetch is within paw’s reach.

Any advice for aspiring canine professionals? 🎓

Believe in your bark! The corporate world might seem intimidating, but with determination, a keen sense of smell, and a loyal heart, you can make a significant impact. Always stay true to your instincts and remember, a friendly wag can open many doors. 🚪

P.S. Our Mission Bay HQ is dog-friendly, with humans and dogs working together in harmony day in, day out

P.P.S. Stop by reception for some homemade dog treats

P.P.P.S Work with Teddy

Posted by Uber

Come reimagine with us

Related articles.

Soaring to success: Nora’s growing as a management trainee at Uber

29 March / Global

Empowering Safe Rides: An Engineering-Product Collaboration in LatAm

21 March / Global

Meet our Head of Uber Direct in LATAM

20 March / Global

Sakshi reimagines the way the world commutes for the better

7 March / Global

Kaushalya is growing her career across industries and businesses

Most popular.

DataCentral: Uber’s Big Data Observability and Chargeback Platform

Jupiter: Config Driven Adtech Batch Ingestion Platform

Public transport agencies trial mixed fleets to implement local on-demand transport

Case study: Tri-Rail’s role in paving the way for effortless commuting

Resources for driving and delivering with Uber

Experiences and information for people on the move

Transforming the way companies move and feed their people

Expanding the reach of public transportation

Explore how Uber employees from around the globe are helping us drive the world forward at work and beyond

Engineering

The technology behind Uber Engineering

Uber news and updates in your country

Product, how-to, and policy content—and more

Sign up to drive

Sign up to ride.