Ride-sharing company Uber has just reported that it was affected by a data breach over a year ago. Uber acknowledged that personal information of around 50 million customers and 7 million drivers was stolen.
What happened and when
According to Uber, the breach occurred in October 2016, when unauthorized individuals had gained access to company data stored on a third-party cloud-based service. Uber learned of this breach in November 2016, and claims to have immediately disabled unauthorized access and to have taken steps to protect the data. Uber also says they were able to identify the individuals responsible for the attack and “obtained assurances that the downloaded data had been destroyed.”
If this last bit of information sounds somewhat unorthodox, it’s because it is. If Uber had identified the attackers, why had they not reported them to the authorities? Following Uber’s announcement, confidential sources have leaked it to the media that Uber had in fact paid the attackers USD $100,000 to delete the stolen data, but did not obtain any verification that this had happened, and even “buried” this ransom payment in the “Bug Bounty” budget reserved for paying security researchers who help organizations identify security vulnerabilities.
All this makes it look like deliberate steps were taken by the company to make a major security incident effectively “disappear.”
What data was affected
Uber reports that customer and driver names, email addresses and mobile phone numbers related to the accounts around the world were exposed. Additionally, Driver’s License numbers of the company drivers were also exposed. Uber claims that no credit card numbers, bank account numbers, Social Security numbers, dates of birth or trip location history was stolen.
Next steps and safeguards
Uber insists that customers do not need to take any additional steps as a result of this breach, but advises them to monitor their credit reports and Uber account activity for unauthorized use. Company drivers whose Driver’s License numbers were exposed are being offered free credit monitoring service.