SAN FRANCISCO — Two men pleaded guilty in federal court in San Jose, Calif., to charges of computer hacking and an extortion conspiracy on Wednesday, capping a thorny legal saga that ensnared tech companies like Uber and LinkedIn in data breach scandals.
The resolution of the case comes as Americans grapple with theft and misuse of their personal information amid serious data breaches at companies from Facebook and Equifax to Target and Marriott over the past decade.
Lynda.com, which is owned by LinkedIn, disclosed to its users in December 2016 that it had a data breach. Officials said some 55,000 accounts were affected, and the company warned another 9.5 million customers about the breach.
The Uber breach affected more than 57 million people, as the hackers gained access to the names, phone numbers and email addresses of riders and drivers who used the service.
On Wednesday, Brandon Glover, a 26-year-old Florida resident, and Vasile Mereacre, a 23-year-old Canadian national, appeared before Judge Lucy Koh of the United States District Court for the Northern District of California. In their plea agreements, the men said that they gained access in 2016 to the private databases of Uber and Lynda.com.
They said they were able to enter by using the credentials of the Amazon Web Services accounts belonging to Uber and Lynda.com employees, and then gain access to the Amazon servers that stored data for those companies. The men said that they then downloaded private customer information, anonymously contacted security officials at the companies and tried to extort them for hundreds of thousands of dollars in bitcoin.
In 2016, Mr. Glover and Mr. Mereacre, using pseudonyms and untraceable accounts, contacted security officials at Lynda.com and asked for payment in exchange for the data. Instead, Lynda.com security officials disclosed the leak to customers; the hackers stopped communicating with the company.
Uber took a different approach. According to court filings, the hackers anonymously contacted Uber’s security team in November 2016 and said they had downloaded the account information for 57 million Uber customers. The hackers demanded a six-figure payout to delete the data.
Uber officials tried to reach a deal with the hackers by paying them through a “bug bounty” website, according to court filings. Technology companies commonly pay bounties to scrupulous hackers to find security vulnerabilities in their systems. But in this case, Uber sent Mr. Glover and Mr. Mereacre two payments of $50,000 in bitcoin and asked them to sign nondisclosure agreements.
“Companies like Uber are the caretakers, not the owners, of customers’ personal information,” David L. Anderson, United States attorney for the Northern District of California, said in a statement.
All 50 states and United States territories have enacted laws that require companies to immediately notify customers of unauthorized data breaches that compromise users’ personal information.
“Don’t be so concerned with your image or reputation,” Mr. Anderson said of companies that might try to keep data breaches secret. “Be concerned with the real losses others have suffered. Report the intrusion promptly. Cooperate with law enforcement.”
Uber executives revealed the data breach in late 2017. The ride-hailing company ousted Joe Sullivan, the chief security officer who presided over the payments, for arranging the deal and not alerting the public. Uber later settled a nationwide investigation of the breach and the company’s behavior surrounding the incident for $148 million.
Mr. Sullivan and Travis Kalanick, Uber’s former chief executive who oversaw the payments, claimed at the time that the security team treated the incident like an authorized disclosure as part of Uber’s “bug bounty” program. Uber’s security team used data uncovered during the payment negotiation to find Mr. Glover at his home in Florida, according to the filings.
In January 2017, members of Uber’s security team showed up in Florida and Canada to find both men and make them sign confidentiality agreements.
“In order to take on those people on the front lines of the cyber security battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries,” said John Bennett, Federal Bureau of Investigation special agent in charge, who worked on the case. “Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches.”
Cleaning up the security breach was one in a string of scandals for Uber in 2017, a year that saw multiple investigations into the company’s culture, as well as Department of Justice inquiries into “Greyball,” a software tool used to evade transportation authorities. Uber has since pledged to turn over a new leaf and hired swaths of lawyers and compliance officers to clean up its act.
“We appreciate the ongoing work by the U.S. Attorney’s office to pursue and bring to justice those responsible for the 2016 breach of Lynda user information,” a LinkedIn spokesperson said in a statement. “We’re glad to see the resolution of this investigation.”
A representative for Uber declined to comment on the plea agreements.
Mr. Glover and Mr. Mereacre could each face a maximum of five years in federal prison and a fine of up to $250,000 upon sentencing, which will occur in 2020.