Should I Change My Uber Password? Company Hid Massive Hack, Exposing User Info
For more than one year, Uber hid and actively tried to cover up that it experienced a massive data breach that exposed personal information of 57 million drivers and riders—most of which is information that victims cannot easily change—according to a report from Bloomberg.
In October 2016, Uber suffered a data breach that resulted in the names, email addresses and phone numbers of more than 50 million Uber riders around the world. The personal information of about seven million drivers was also stolen, including about 600,000 U.S. driver's license numbers.
Social Security numbers, credit card details, trip location information and other data associated with an individual's account were not exposed, according to Uber.
The company admitted to knowledge of the breach as early as November 2016, within a month of the hack occurring. However, the company never went public with the incident. In a statement, Uber said that it "took steps to contain and prevent harm" as soon as it was discovered but opted not to inform any of the affected parties. "We think this was wrong," the company said one year later when the details of the breach were made public.
In an effort to cover up the hack—which occurred while Uber was negotiating with U.S. regulators who were investigating other claims of privacy violations it was accused of making—the company paid the hackers responsible for the breach $100,000 to delete the data and keep quiet about the breach. Uber claims the stolen information was never used by the hackers. The company has declined to disclose any information about the hackers responsible for the breach.
The attack happened in relatively embarrassing fashion for the company's security team. Attackers were able to gain access to a private coding site used by Uber software engineers, where they found login credentials for an Amazon Web Services cloud storage account that was used to hold rider and driver information. The attackers stole that information then emailed Uber with an extortion attempt, demanding money to not publish the information.
Joe Sullivan, the chief security officer at Uber at the time of the hack, and one of his deputies were let go from the company earlier this week for their roles in attempting to hide the hack.
Uber Data Breach: Do You Need To Take Any Action?
Despite Uber allegedly deceiving its users, the company says you should not be concerned.
In a statement made by the ride-hailing company on Tuesday, Uber assured its riders and drivers that they do not need to take any action in order to secure their account or information. "We do not believe any individual rider needs to take any action. We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection," the Uber said.
However, it's worth noting that much of the information compromised in the breach is information that is difficult for a person to change. Most people do not change their name, address or phone number unless they have to. While much of that information is often available online already, Uber still is responsible for exposing data that it was tasked with keeping secure.
As for drivers who had their driver's license numbers exposed, Uber said in an additional statement that it is contacting affected drivers by mail or email and offering them free credit monitoring and identity theft protection.
© Copyright IBTimes 2024. All rights reserved.