Two men, who hacked data and extorted huge sums of money from Uber and LinkedIn, pleaded guilty in the US Federal court on Wednesday. Besides stealing sensitive information, they also asked for a lot of money from these companies to delete the stolen information from Amazon’s servers.
According to Justice Department press release, Vasile Mereacre from Canada and Brandon Glover from Florida have confessed their role in this cybercrime. Apparently, they logged into Amazon Web Services using compromised login credentials and accessed corporate databases holding sensitive information. After stealing the information, Mereacre and Glover told these firms about security lapses in their systems and how employees’ information was compromised.
For deleting this data from Amazon’s web servers, these men demanded a lot of money from these firms.
Apparently, these men used a duplicate encrypted email account to inform these companies that their systems have compromised their security. They even showed samples of stolen data to these companies as proof so that they can demand money from them.
FBI special agent in charge, John F. Bennett, stated that they are dealing with very sophisticated cyber actors. In order to reach the root of any cybercrime, there is a lot of dependency on the relationship between the FBI and private sector firms of the cyber industry. According to Bennett, the willingness of these companies to report any security breaches in their systems enable the FBI to take fast action against those committing cybercrime.
Glover and Mereacre admitted that Uber’s Amazon web server credentials were given to a technically proficient hacker, who in turn, found 57 million archived files all composed of customer and driver data. Then, these men illegally downloaded all the data and contacted Uber in November 2016, saying that their systems are no longer secure, and their data has become transparent. Uber agreed to pay $100,000 in bitcoin through a third party. The defendants were asked to sign a confidentiality agreement in return.
After about 3 weeks of negotiations, Uber finally paid the amount in December after making sure that the transaction will be kept confidential, and all of their data will be erased completely. Around January 2017, Uber found out Glover’s real identity. Apparently, a representative from the firm tracked Glover down at his place and made him sign a confidentiality agreement using his real name. A couple of days later, the same process was repeated with Mereacre. An Uber representative found him in Toronto and made him sign the confidentiality agreement.
Likewise, a lot of information involving 90,000 user accounts, all of which belonged to Lynda.com, and which were downloaded via incorrect means using the company’s Amazon web services, were obtained. A similar strategy was used by Glover and Mereacre on LinkedIn as well. When an email was sent to LinkedIn’s security representative, stating that there was a security lapse of their confidential information, they decided to track down the source of the email.
Apparently, these men told the concerned LinkedIn representatives that they expected a lump sum amount of money in return for the deletion of their confidential information. They even stated that some other company paid them a high price for the job. However, there was no communication between them from January 2017, and LinkedIn did not pay any money.
According to sources, both these men could face up to 5 years in prison. They may have to pay a penalty of $250,000. They have been charged with hacking confidential data and extortion. The next hearing on this case is scheduled to happen on March 18, 2020, when the actual quantum of punishment would be known.
LinkedIn has stated that it is very happy with the results of the investigation and was full of praises for the investigation team. However, Uber refused to comment on anything regarding the same.