Uber admits its data hack affected 2.7 million people in the UK
Last year’s Uber hack, which reportedly saw the firm trying to cover up a massive data breach by paying hackers to keep quiet, impacted around 2.7 million people in the UK.
Uber has said the breach involved names, mobile phone numbers and email addresses.
In an update from the Information Commissioner’s Office, which is looking into the breach and its causes, deputy commissioner of operations James Dipple-Johnstone said: “As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised.
“On its own, this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the NCSC.
“We would expect Uber to alert all those affected in the UK as soon as possible.”
Uber hack: What happened?
The breach is said to have occurred in October 2016. Leaked names, email addresses and phone numbers of more 50 million users globally were accessed, and around 7 million drivers were affected, with hackers accessing around 600,000 US driver’s license numbers.
Uber then reportedly made payments of $100,000 (£75,000) to hackers who claimed they had breached the ride-sharing app’s systems, according to Bloomberg.
Following the news, the UK’s National Cyber Security Centre issued guidelines to Uber users and drivers on managing their account and data in light of this breach.
A blog from the agency says: “Based on current information, we have not seen evidence that financial details have been compromised. However, if you think you have been a victim of online crime, you can report a cyber incident using Action Fraud’s online fraud reporting tool any time of the day or night, or call 0300 123 2040. For further information visit www.actionfraud.police.uk.”
Reports claim Uber’s former chief executive Travis Kalanick has known about the breach for over a year. Kalanick was forced out of the company in June, after months of controversies relating to sexism and poor working practices. He was replaced in August by former Expedia boss, Dara Khosrowshahi.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” Khosrowshahi said in a statement.
“None of this should have happened, and I will not make excuses for it,” he added. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
In the wake of the revelation, Uber fired its chief security officer, Joe Sullivan. The company has also set up pages for drivers and riders who may have been affected by the hack. These emphasise that the company has seen no evidence for fraud. It mentions that Uber will offer drivers free credit monitoring and identity theft protection, but doesn’t extend this to users of the service.
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” the page explains.
According to Bloomberg, two hackers managed to access a private GitHub site for Uber software engineers. They were able to grab login credentials from there, which allowed them to access an Amazon Web Services account for Uber. There they found an archive of driver and user information, and blackmailed the company for money.
“Uber has played a risky game here, not only concealing the hack but exacerbating the problem by paying off the hackers,” commented Dean Armstrong QC, cyber law barrister at Setfords Solicitors. “This will simply encourage them further and result in more attempts to steal personal data from organisations.” Armstrong added that the upcoming General Data Protection Rules (GDPR) will introduce stricter guidelines on data protection to the UK and EU in 2018, and that under these rules Uber would have had to notify the regulator within 72 hours of being aware of the hack.
Uber has not had a great year, to put it mildly. The resignation of Kalanick was clearly intended to distance the company from mounting claims of allowing a sexist working environment, and came in the wake of reports that Uber’s boss in Asia had been fired for obtaining medical records of a woman who had been raped by an Uber driver. The bad news has continued to amount since Khosrowshahi joined the company, however. The ride sharing company has lost its licence to operate in London, and recently lost an appeal in the UK over how its workers should be categorised.