
Uber revealed on Tuesday that it has kept a massive data breach affecting 57 million people quiet for more than a year. The hackers, the company toldfound the data onan Amazon cloud serverused by the firm. To keep the leak secret, Uber paid the hackers a ransom of $100,000.
“None of this should have happened, and I will not make excuses for it,” Dara Kosrowshahi, who recentlytook over the roleTravis Kalanick had at the time of the incident.
This isone of the larger breaches to have been disclosed by a major firm, but should you be worried?
Advertisement
The company has not fully revealed – but as of this afternoon, it has confirmed that . The data included customers’ names, email addresses and phone numbers, along with the drivers’ licence numbers of 600,000 Uber drivers.
Theseare the most worrying, says data breach expert : “a driver’s licence number is one of the points of identification that can be used for loans.” He suggests that drivers sign up to a fraud protection service, which Uber has in the wake of the breach.
For users, the danger is less immediate. No trip history, credit card details or US social security numbers were revealed. That said, theirpersonal contact information could make it easier for criminals to target people with phishing attacks or other scams. Security expert points out that scammers couldrefer to targets’ Uber accountsto make their messages seem more legitimate.
Few believe thehackers deleted their data haul on receiving the $100,000 ransom payment. “There is no guarantee they didn’t create multiple copies of the stolen data for future extortion or to sell on further down the line,” saysDavid Kennerley at cybersecurity firm Webroot.
Uber users are not as exposed as people were after the Equifax breach.However, the company itself will face significant consequences. Companies in the US have a legal obligation to notify authorities of large breaches, which Uber has admitted it failed to do in this case. “I think at the very least we’re likely to see the leadership of Uber dragged in front of Congress and asked to explain themselves, just like the CEO of Equifax was several weeks ago,” says Mike Chapple at the University of Notre Dame’s Mendoza College of Business.
In May 2018, when the General Data Protection Rules come into force, Uber may face consequences in the EU and UK too. Though the hack occurredin the US, the coming regulations will apply to any EU citizen’s data.If they are represented in any of the 50 million hacked records, GDPR could potentially bring punishment.
“I, like many people, am going to watch with great interest as Uber tries to worm its way out of this,” Hunt says.