In a San Jose federal court Wednesday, a Florida resident and one Toronto local pleaded guilty to charges of computer hacking and extorting conspiracies, as part of the massive 2016 Uber and Lynda.com data breaches.
The two men – 26-year-old Brandon Charles Glover of Winter Springs, Florida and 23-year-old Vasile Mereacre, a Canadian national – pleaded guilty to charges of cyber hacking related to the Uber and Lynda.com (now owned by LinkedIn) user data breaches in 2016 that affected some 57.5 million accounts in total.
Both appeared yesterday before Judge Lucy Koh of the United States District Court for the Northern District of California to present their plea agreements. Each defendant pleaded guilty to one count of “conspiracy to commit extortion involving computers,” with sentencing scheduled to happen in March of this coming year.
According to the New York Times, in November of 2016, Glover and Mereacre were able to access user data belonging to Uber and Lyndia.com by utilizing stolen log-in credentials for Amazon Web Services accounts associated with Uber and Lynda.com employees. Upon successfully breaching the security walls, the two men promptly downloaded copious amounts of private customer information. They also gathered other information to anonymously raise concerns of cyber safety at both companies, as well, attempting to force Uber and Lynda.com to hand over large sums of bitcoin as part of a broader cyber ransom scheme.
Published court documents showed that Glover and Mereacre presented a portion of the stolen database (as “proof”) to cybersecurity officers at Uber, saying that they, if paid the ransom amount, would delete the stolen data and cover up the fact that any cyber breach had occurred in the first place, thus avoiding yet another PR scandal for the company.
Uber, per those court documents, agreed to pay the duo $100,000 in bitcoin, via a third party funds transfer system, and that Glover and Mereacre needed to sign confidentiality agreements in order to secure their illegally contrived payments.
“We’re dealing with the most sophisticated cyber actors in the world,” said FBI Special Agent in Charge John F. Bennett in a news release published by KPIX. The Uber breach was on a carousel of reporting for national outlets back in 2016, leading up to the company’s eventual $148 million settlement. Court documents revealed that the rideshare company violated California State ethical practice for data breaching and, also, ignored certain data security laws; they were fined accordingly.
“In order to take on those people on the front lines of the cybersecurity battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries,” added Bennett. "Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches.”
Come March of 2020, Glover and Mereacre could each face a maximum of five years in federal prison, in addition to a fine of up to $250,000, once their sentencing is finalized.