Uber data breach raises unsettling questions for infosec

Ann Santiago
November 23, 2017

Almost two years ago in 2016, hackers approached Uber to inform them of a massive data breach.

"Companies like Uber will not be able to hide the breaches of our personal data from us or face penalty", she said, without mentioning a sum for an European Union fine for Uber.

Uber's chief executive Dara Khosrowshahi (pictured) explained in a release that the hackers found 57 million names, email addresses and mobile phone numbers, in which around 600,000 drivers in the pool had their names and license details exposed.

"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals".

Uber paid the hackers $100,000 to destroy the data, not telling riders or drivers whose information was at risk, according to a source familiar with the situation.

These drivers have been notified and Uber is providing these drivers with free credit monitoring and identity theft protection. Regulatory authorities were being notified, the company added. Uber bad days will pass once the company take several precautionary measures.

As much as this is a story about Uber's ongoing problems, Uber is hardly the first company to lose customer data to hackers or to try to keep such an incident under wraps. The hack introduces an unexpected factor in negotiations between SoftBank Group Corp. and Uber shareholders over a planned investment of as much as $10 billion, a deal Khosrowshahi has been championing. The two employees were removed this week.

Many other companies are failing to properly protect their privileged access accounts to both cloud and on-premises services, leaving them exposed to compromise from hackers that use default passwords, or non-unique user passwords stolen from other services, to breach their systems.

The new management of San Francisco-based Uber said on Tuesday that it had only learned recently that personal information from about Uber 57 million accounts had been stolen in 2016.

"I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it", he said. With Tuesday's disclosure, however, New York Attorney General Eric Schneiderman has launched a new investigation into the company's practices.

Uber's silence about its breach came while it was negotiating with the Federal Trade Commission about its handling of its riders' information.

"We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers".

Other reports by

Discuss This Article