23 November 2017
A data breach at human cloud, ride sharing firm Uber in October 2016 exposed information related to 57 million rider and driver accounts, the company reported in a blog post earlier this week by CEO Dara Khosrowshahi.
The hack exposed the names, email addresses and mobile phone numbers related to accounts of 57 million riders and drivers globally. It also included the license numbers of approximately 600,000 drivers in the US, however Uber refused to disclose how many UK customers are affected.
James Dipple-Johnstone, deputy commissioner at watchdog Information Commissioner’s Officer, commented, “We can confirm that UK citizens have been affected by the data breach involving Uber last October. As UK citizens would expect, the ICO is in direct contact with the company to establish the numbers and what kind of personal data may have been compromised. “Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”
Fiona Coombe, Director of Legal and regulatory Research from Staffing Industry Analysts commented, “Under the GDPR that is to come into effect in May 2018, the penalty for a failure to report such data breaches will greatly increase.”
Uber added that outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.
Khosrowshahi wrote in the blog post that two individuals who led the response to the incident are no longer with the company and to help guide the company going forward it has brought in Matt Olsen, co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center.
Uber is also notifying divers whose license numbers were downloaded, providing divers with free credit monitoring and identity theft protection, notifying regulatory authorities, and monitoring affected accounts, including flagging them for additional fraud protection.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi wrote in his post. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Bloomberg reported that Uber paid the hackers $100,000 to delete the information and keep quiet, and that Chief Security Officer Joe Sullivan and another exec were ousted.
The New York Times reported Uber acquiesced to the demands, and then tracked down the hackers and pushed them to sign nondisclosure agreements, citing people familiar with the matter. “To further conceal the damage, Uber executives also made it appear as if the payout had been part of a ‘bug bounty’ — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots,” the newspaper reported.
The Telegraph reported that the UK’s National Cyber Security Centre is investigating the extent of the breach and the failure of Uber to report it to authorities at the time. Meanwhile, the National Crime Agency is also involved in investigations, suggesting the hackers may even have been British-based.
“We are working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations,” Dipple-Johnstone said. “It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.
“Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed,” Dipple-Johnstone said.
London Mayor Sadiq Khan, said the cover-up was “of real concern”.
Uber is also appealing a ban by Transport for London over its London operations after it was deemed by Transport for London that it was not a “fit and proper” private car hire operator.