Uber has become the latest company to reveal that it has been hacked after confirming that the details of some 57 million customers and around 600,000 drivers were leaked.
Understandably, the questions that customers and drivers will want asking is whether or not they’ve had their details leaked, what details were leaked and how dangerous this leak could be.
What happened?
In 2016 a pair of individuals were able to hack into data that Uber had stored on a third-party cloud server.
Having gained access, the individuals were then able to steal information belonging to Uber and in turn demand a ransom from the company.
In a statement, Uber’s new CEO Dara Khosrowshahi said:
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
Those assurances obtained by Uber involved giving the two individuals $100,000 in exchange for their silence and the promise that the information wouldn’t be shared.
What information was hacked and leaked?
The information relates to some 57 million customers and around 600,000 drivers.
According to Uber the information leaked includes:
- The names and driver’s license numbers of around 600,000 drivers in the United States. Drivers can learn more here.
- Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers. Riders can learn more here.
I use Uber, should I be worried?
Uber’s official advice following the hack is this:
“We do not believe any individual rider needs to take any action. We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection.”
Uber says it does not believe that any credit card or payment information was taken and has seen no evidence so far to suggest that it was.
Unfortunately for Uber, security experts believe that the situation is far more serious.
Paul Ducklin a Senior Security Advisor for Sophos had this to say to HuffPost UK.
“Data breaches that include “only” names, addresses and phone numbers are often dismissed as being of not much significance. There are two reasons why that’s dangerous thinking.”
The first is that all personal data, especially when collected in bulk, is worth something to cybercrooks. Even if the crooks who stole the data aren’t themselves in the business of phishing, scamming or social engineering, there’s a market for it on the Dark Web. Even if all that happens is that you end up getting yet more scammy and spammy emails, or yet more calls from those fake support scammers (for whom a list of personal details including phone numbers and a pretext to call you is more than enough to keep their “business” awash in potential victims), well, that’s simply not good enough.”
And that brings us to the second reason why all breaches matter: it’s a violation of the social contract between customers and the businesses where they entrust their data. Simply put, if I give you my name, address, phone number and whatever else besides, you jolly well owe it to me to keep that data private. If I want to publish it, that is my choice, but it can never be yours.”
In Uber’s case, of course, there’s a third and rather unusual reason to be concerned despite the nature of the data stolen: given that the company not only lost your data but seems to have entered into some kind of deal with the crooks to stop you finding out about its incompetence, what reason do you have for trusting the company when it says, “Don’t worry, we didn’t lose that much after all”?”
I’m a driver for Uber, should I be worried?
Uber believes that the email address, phone number and license numbers of around 600,000 drivers in the US were leaked.
It does not believe that any drivers in the UK have been affected.
If you are in the US Uber should be reaching out to you directly and has said that it will be providing free credit monitoring and identity theft protection.
Speaking again to HuffPost UK, Paul Ducklin, Senior Security Advisor for Sophos explains why the leaking of this information would be especially bad if it had taken place in the UK.
“For Uber drivers, sadly, the news is much worse.
The more personal information that the crooks can accumulate about you, the closer they are to being able to convince someone else that they *are* you - especially if the data includes something that you wouldn’t expect just anyone to know, like your driving license number. (In the UK, your driver number is not meant to be public knowledge, so it is often treated as a kind of “identity Shibboleth” by call centres and information processors - in other words, the fact that you know it at all vouches positively for your identity in some way.)”
Simply put, the more fields about you that the crooks can fill in on an application form, or the more questions about your identity and personal details they can answer correctly if they’re trying to hack their way through a call centre, the closer you are to identity theft and other cybercrimes.”
What can I do next?
If you’re worried about this hack or indeed any other then a good place to start is to visit this site: Have I Been Pwned?
It was created by Australian security researcher Troy Hunt and is essentially a database created by Troy of every password and email that was involved in the largest hacks of recent years.
If you’ve been hacked, there’s an extreme likelihood that this website is going to be able to tell you.
Next step: change your passwords.
It sounds painfully simple but in almost all cases this is the simplest and most effective way to protect yourself from further attacks.
Using a password manager like Keeper Security or OnePassword can also help. It’s an encrypted digital vault that can store all your passwords, generate powerful new ones that you don’t have to remember and is protected by a single long password or the biometric security found on your smartphone like a fingerprint sensor or facial scanning technology.
If there are passwords that you do need to remember they should be a collection of random phrases that only a human could come up with. A perfect example would be “leekeatingrabbitstorm”. It makes zero sense and would take a computer millions and millions of guesses to get right.
The next thing you need to do is set up two-factor authentication. This effectively means that if someone does guess your password they’ll still need to enter a special code delivered to your smartphone.
What are the experts saying about this?
Well unsurprisingly the reaction from experts has not been positive. While the information leaked is not as dangerous as it could have been, many experts have instead been focusing on the way that Uber dealt with this.
Raj Samani, Chief Scientist and Fellow at McAfee:
“As a regular Uber customer myself, this news makes me incredibly angry. Uber has treated its customers with a complete lack of respect. Millions of people will now be worrying over what has happened to their personal data over the past 12 months, and Uber is directly responsible for this.
In opting to not only cover up the breach, but actually pay the hackers, Uber has directly contributed to the growth of cybercrime and the company needs to be held accountable for this.”
Rob Norris, VP Head of Enterprise & Cyber Security EMEA at Fujitsu:
“Paying hackers to delete stolen data is certainly not an advisable practice, and in fact, must be frowned upon. After all, companies that do pay ransom or transfer large amounts of cash to hackers only encourage this type of behaviour.”
Andy Norton, director of threat intelligence at Lastline:
“The timing is important. Firstly the disclosure shows the new CEO sending a clear message that ethically questionable business is not entertained, and secondly because the disclosure arrives before the deadline of GDPR, for which this kind of breach would be a poster child example. Based on 2016 revenues Uber would be looking at a $65 million fine, 4% of revenue if European customer data was in the breached database under GDPR.”