Still Using Uber? You Might Want to Read This
Nearly two years ago in 2016, hackers approached Uber to inform them of a massive data breach. According to Bloomberg, the hackers had personal information like names, email addresses, and phone numbers of 50 million users around the world, as well as the personal info of seven million drivers, with over 600,000 driver’s license numbers also stolen.
And while this data breach is startling at the very least, the way the company handled it is even worse.
Finally telling Uber users about the hack in a blog post yesterday, the company’s CEO Dara Khosrowshahi gave a vague outline as to how the tech startup dealt with the hackers. “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi wrote in his post. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
But what does it mean when a company “secures” the data? Bloomberg says that Uber actually paid the hackers $100,000 dollars to delete all the information they stole from the company. Which, if you think about it for more than five seconds, is actually a really terrible precedent to set.
At the time, the company was dealing with regulators investigating privacy breach claims with Uber, which could explain why former CEO Travis Kalanick kept the hack secret. With Tuesday’s disclosure, however, New York Attorney General Eric Schneiderman has launched a new investigation into the company’s practices.
The details of how Uber got hacked (Uber engineers left their AWS keys on Github) don't do much to inspire confidence in their cybersecurity practices. This is the equivalent to: left the keys to the safe in the front door.
— Sheera Frenkel (@sheeraf) November 21, 2017
While this isn’t the biggest data breach ever, the fact that the company did not disclose it at the time is troubling. It may have been because the information was easy for hackers to access on account of Uber’s engineers being lax with security online (according to some reports), but regardless, the secrecy around the payout is pretty bad. Uber is also being investigated in the UK for the data breach, because the island nation is the largest Uber user in Europe.
Khosrowshahi, meanwhile, is offering free credit monitoring for drivers whose personal info was stolen in the hack and has hired security expert Matt Olsen, a former staffer at the National Security Agency and director of the National Counterterrorism Center, to help the company going forward.
“None of this should have happened,” Khosrowshahi closed his blog post, adding, “and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Does this data breach disclosure change your feelings on Uber? Tell us @BritandCo!
(Photo via Getty)