杏吧原创

Uber had a massive data hack – here’s how worried you should be

Uber's customer and driver data has been compromised for a year - but Uber has only just revealed details.
someone using the Uber app
Have you been pwned?
Jaap Arriens/SIPA USA/PA Images

Uber revealed on Tuesday that it has kept a massive data breach affecting 57 million people quiet for more than a year. The hackers, the company told听听found the data on听an Amazon cloud server听used by the firm. To keep the leak secret, Uber paid the hackers a ransom of $100,000.

鈥淣one of this should have happened, and I will not make excuses for it,鈥 Dara Kosrowshahi, who recently听took over the role听Travis Kalanick had at the time of the incident.

This is听one of the larger breaches to have been disclosed by a major firm, but should you be worried?

The company has not fully revealed 听鈥 but as of this afternoon, it has confirmed that . The data included customers鈥 names, email addresses and phone numbers, along with the drivers鈥 licence numbers of 600,000 Uber drivers.

These听are the most worrying, says data breach expert : 鈥渁 driver鈥檚 licence number is one of the points of identification that can be used for loans.鈥 He suggests that drivers sign up to a fraud protection service, which Uber has in the wake of the breach.

For users, the danger is less immediate. No trip history, credit card details or US social security numbers were revealed. That said, their听personal contact information could make it easier for criminals to target people with phishing attacks or other scams. Security expert points out that scammers could听refer to targets鈥 Uber accounts听to make their messages seem more legitimate.

Few believe the听hackers deleted their data haul on receiving the $100,000 ransom payment. 鈥淭here is no guarantee they didn鈥檛 create multiple copies of the stolen data for future extortion or to sell on further down the line,鈥 says听David Kennerley at cybersecurity firm Webroot.

Uber users are not as exposed as people were after the Equifax breach.听However, the company itself will face significant consequences. Companies in the US have a legal obligation to notify authorities of large breaches, which Uber has admitted it failed to do in this case. 鈥淚 think at the very least we鈥檙e likely to see the leadership of Uber dragged in front of Congress and asked to explain themselves, just like the CEO of Equifax was several weeks ago,鈥 says Mike Chapple at the University of Notre Dame鈥檚 Mendoza College of Business.

In May 2018, when the General Data Protection Rules come into force, Uber may face consequences in the EU and UK too. Though the hack occurred听in the US, the coming regulations will apply to any EU citizen鈥檚 data.听If they are represented in any of the 50 million hacked records, GDPR could potentially bring punishment.

鈥淚, like many people, am going to watch with great interest as Uber tries to worm its way out of this,鈥 Hunt says.

Topics: Computer crime / Privacy