Uber has confirmed a massive data breach that took place in late 2016 when hackers stole personal information of both riders and drivers. The cab-aggregating service also paid the hackers $100,000 to keep this massive data breach a secret, even though it impacted over 57 million accounts. Uber’s new CEO Dara Khosrowshahi has now written a blog post explaining the security incident in detail.
The post says Uber needs to be “honest and transparent” to “repair” their mistakes, which is why they are now revealing the data breach. But the company is facing criticism for how it has handled this whole crisis.
Uber’s CEO wrote in the post, “I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.”
The statement also adds there was no indication that the hackers accessed details — like trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth. Such data getting compromised would have made this a much more serious breach and the company insists none of this was downloaded by the hackers.
So what did hackers manage to steal from Uber? According to the post, names and driver’s licence numbers of around 600,000 drivers in the United States were stolen. In addition to this, personal information of 57 million Uber users around the world, including the drivers, was also stolen. This information included names, email addresses and mobile phone numbers.
The CEO’s post further says, “The individuals were able to download files containing a significant amount of other information” though it does not go into detail what this ‘other information’ happens to be. The company claims it took “immediate steps to secure the data and shut down further unauthorized access by the individuals.” It also adds they “obtained assurances that the downloaded data had been destroyed“.
So what should Uber riders do next and what does the company plan to do about this? Uber’s CEO said they will look at how to keep their data secure in the future and the company is now notifying regulators. The fact that Uber did not “notify affected individuals or regulators last year” remains a serious issue.
Uber will now consult with Matt Olsen on how to go forward with data security. Olsen is a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center. The company also said the two people who “led the response to this incident” are no longer with them though it is unclear if they were fired or quit on their own.
The company will “individually” alert all drivers whose license numbers were downloaded and give them “free credit monitoring and identity theft protection”. “The company also says it is monitoring “affected” user accounts for any signs of fraud, etc and will alert them.
The post ends thus: “None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
So what should users of the Uber app be worried about? According to Uber, they do not have any evidence that data like credit card numbers, bank account numbers, etc were stolen and downloaded, though mobile numbers and email addresses were stolen. Uber’s support page also says they do not think “any individual rider needs to take any action”.
But if you do suspect your account or credit/debit card information has been hacked, then just go to”Help” section in the app, tap on “Account and Payment Options” > “I have an unknown charge” > “I think my account has been hacked” and contact Uber’s customer service. For now, Uber says users should not panic unless they see some fraud transactions on their credit card.