Two Hackers Plead Guilty in Uber Blackmail Case, Targeting Major Corporations
In a significant legal development, two grey hat hackers, Brandon Charles Glover, 26, from Florida, and Vasile Mereacre, 23, from Toronto, have pleaded guilty in a California court to charges of blackmail against Uber, LinkedIn, and several other American companies. This case revolves around their actions of extorting millions of dollars in exchange for the deletion of sensitive data they had illegally obtained in late 2016.
During a hearing at the San Jose courthouse, it was revealed that Glover and Mereacre gained unauthorized access to confidential corporate databases hosted on Amazon Web Services, utilizing stolen credentials. After acquiring this data, the hackers proceeded to contact the affected organizations to highlight security vulnerabilities. They demanded hefty sums of money to erase the stolen information, a tactic that has drawn attention from the U.S. Justice Department.
In one email to the affected company, the hackers boasted about their access, stating, “I was able to access backups upon backups, me and my team would like a huge reward for this.” Their demands included claims that they had previously assisted a large corporation that had compensated them nearly seven figures for their services.
As reported by The Hacker News two years ago, Glover and Mereacre managed to download sensitive information belonging to 57 million Uber riders and drivers. In a bid to conceal the breach, Uber allegedly paid the hackers $100,000 in Bitcoin. Notably, the indictment details how both hackers used pseudonyms to interact with the victim companies, often asserting that they had already been compensated by other corporations for identifying similar security issues.
In December 2016, these hackers similarly targeted LinkedIn, threatening to disclose compromised data from the company’s subsidiary, Lynda.com, which included over 90,000 user records and their credit card information. Investigations later revealed that Uber sent forensic teams to the hackers’ residences in both Florida and Canada to confirm the deletion of all stolen data, compelling the hackers to sign non-disclosure agreements to prevent further breaches.
Uber’s delayed disclosure of the October 2016 data breach led to widespread repercussions. Following the revelation, the company faced a settlement of $148 million after being ordered by attorneys general from all 50 states and the District of Columbia. Additionally, British and Dutch regulators imposed a fine of approximately $1.1 million for failing to secure customer information during the cyber attack.
The compromised entities here were primarily tech-based, with Uber and LinkedIn both being headquartered in the United States. The tactics employed by Glover and Mereacre are significant when viewed through the lens of the MITRE ATT&CK framework. Their approach exemplifies tactics such as Initial Access, through stolen credentials, and Exfiltration, by accessing sensitive databases and threatening disclosure.
The defendants have each pleaded guilty to one count of conspiracy to commit extortion and face potential penalties of up to five years in prison and a $250,000 fine at their upcoming sentencing. Currently released on bond, Glover and Mereacre are set to be sentenced in March 2020, marking an important moment in the ongoing battle against cybercrime in the corporate sector.
As businesses navigate an increasingly complex cybersecurity landscape, this case serves as a reminder of the potential threats posed by hackers and underscores the importance of robust security measures to protect sensitive data.
