November 22nd, 2017
What's the issue?
Dara Khosrowshahi, CEO of Uber, issued a statement yesterday to disclose a data security incident that occurred in October of 2016. As a result 57 million customer's and driver's information was compromised including name, email and phone number. In addition, approximately 600,000 U.S. drivers' license numbers were breached. Impact on Canadian drivers and users has not yet been clarified.
The delay by Uber in disclosing and the secrecy surrounding the nature of the breach and payments made to the cybercriminals has again raised the issue of mandatory reporting requirements for the loss of personal information. 48 states, and most industries handling personal information like financial services, require mandatory reporting.
According to CNN, State Attorneys General from New York and Massachusetts have opened investigations into the data breach.
Canada has federal legislation for mandatory reporting requirements that has been approved and will come into effect, likely in early 2018, covering all industries and jurisdictions.
How does this happen?
The ride-sharing company was informed that hackers had gotten unauthorized access to a third-party cloud-based service where the stolen data was stored. Uber assures that their internal systems or infrastructure has not been breached. A forensic investigation was conducted after the breach to see if any other information was breached and according to Uber, "our outside forensic experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded."
Immediately after the breach, Uber assured they took the necessary steps to secure the stolen data, but according to Bloomberg Technology, one of the first to write about this breach, Uber had paid the hackers $100,000 to delete the data. It would be questionable, however, since Uber was negotiating with criminals that the hackers actually deleted the data or had not already exploited some or all of the stolen data.
What should I do?
Uber has not disclosed any specific information about who the 57 million customers and drivers affected are, so if you are an Uber customer or driver you should monitor your account and credit cards for unusual activities. Even though there wasn't any evidence that credit card information was affected in this breach, it is better to be safe than sorry. Likewise for Uber users who have deleted their account, on Uber's website they warn "Uber may retain certain information after account deletion as required or permitted by law." It is best for any who had an Uber account to be more alert, and since emails were stolen it is important to be aware of an increase in phishing emails.
Uber has also made recommendation for their customers on what to do:
"We do not believe any individual rider needs to take any action. We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection."
"We encourage all our users to regularly monitor their credit and accounts, including their Uber account, for any issues. Please let us know via the Help Center if you see anything unexpected or unusual related to your Uber account. You can do this by tapping 'Help' in your app, then 'Account and Payment Options' > 'I have an unknown charge' > 'I think my account has been hacked'."
Uber is offering credit monitoring to their drivers, but has not offered anything to their customers.
For more information be sure to check Uber's release for this data breach at https://www.uber.com/en-CA/newsroom/2016-data-incident.
We at NPC will continue to monitor the event and advise further if required.
Bloomberg Technology - Uber Paid Hackers to Delete Stolen Data on 57 Million People
For more information:
CNN - Uber's Massive Hack: What We Know
Uber Help - Delete my Uber account
Uber Newsroom - 2016 Data Security Incident