Uber discloses data breach one year after it happened

Tammy Harvey
November 23, 2017

There are serious legal ramifications for Uber's decision not to immediately disclose the data breach.

News of the leak comes on the heels of revelations the Australian Broadcasting Corporation accidentally exposed Amazon Web Services S3 bucket containing a large amount of user data - an error that also recently led to almost 50,000 Australians' PII being leaked online by a government contractor.

"Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded", he added.

The hackers also accessed driver's license numbers of around 600,000 drivers in the United States.

"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes", Dara Khosrowshahi, the CEO of Uber who took over this September, told Bloomberg. The news service also said that Uber concealed the attack for more than a year.

Like this story? Share it!

It recently fired Joe Sullivan, its chief security officer, and deputy Greg Clark for their handling of the incident. Uber said it believes the information was never used but declined to disclose the identities of the attackers. The company also said it is notifying regulators, and monitoring affected rider accounts for signs of fraud.

The news that ride hailing service Uber has suffered, and covered up, a major hack means that millions of people could unknowingly have had their data put at risk.

Hackers are known to take seemingly low-value information, such as email addresses, and build on them with what they can find or steal elsewhere to prey on victims, according to McAfee vice president of labs Vincent Weafer.

U.S. Senator Richard Blumenthal took to Twitter to call for the FTC to investigate Uber, describing the company's behavior as "inexplicable" and asking for the FTC to impose "significant penalties". The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter.

Uber is trying to salvage its reputation following a number of high-profile controversies, including using software called Greyball to evade regulators, a court battle over allegedly stolen secrets from Google's self-driving auto division, and a slew of complaints regarding sexual harassment and toxic company culture. From there, the hackers discovered an archive of rider and driver information. Uber paid the hackers in an effort to hide the breach and said it subsequently identified the individuals involved and "obtained assurances" that the downloaded data had been destroyed.

CEO Travis Kalanick, who was in charge when the hack took place, is still on the company's board of directors.

Other reports by Ligue1talk

Discuss This Article