Uber reports that a cyber-security incident has exposed the personal information of some drivers and passengers. The company claims that it doesn’t look like payment details were downloaded. However, it adds that some data may have been downloaded. The Uber cyber-security incident is only the latest episode in an ongoing saga of troubles many thought would be over with the ouster of Travis Kalanick from the CEO post.
Uber cyber-security incident exposes personal data
New Uber CEO Dara Khosrowshahi gave details on the Uber cyber-security incident in a post on the company’s website. The incident actually happened late last year, many months before he took the helm of the company following a string of other types of incidents, most of which have been legal in nature.
He said that he learned that two people who are outside Uber had “inappropriately accessed user data.” The data was stored on a cloud-based service operated by a third party and used by Uber. He emphasized that the company’s own infrastructure and corporate systems were not breached in the incident.
Although the Uber cyber-security incident wasn’t reported until now, he says the firm took action immediately after it was discovered about a year ago. Uber reportedly shut down the access of the two people who were involved and “obtained assurances that the downloaded data had been destroyed.” The ride-sharing firm also implemented new security measures aimed at restricting access and improved its controls over its cloud storage accounts.
Here’s what was compromised in the Uber cyber-security incident
Khosrowshahi added that outside forensics experts don’t believe that any trip histories, credit card or bank account numbers, Social Security numbers or birthdates were downloaded from the service. However, he said that the two people were able to download some files which contain “a significant amount of other information.
Data forensics experts believe the drivers license numbers of about 600,000 U.S. drivers were exposed in the Uber cyber-security incident. They also believe that the personal information of 57 million users from around the globe was exposed. The information includes names, cell phone numbers and email addresses.
Uber offered separate information for drivers and passengers. The firm doesn’t believe passengers need to be concerned, but it reminded them to monitor all their accounts regularly and report anything unusual. Drivers who want to find out whether their license numbers were compromised can do so by logging into their Uber account via the company’s website.
Why Uber waited to report the cyber-security incident
In a sign that he’s tightening the reigns, Khosrowshahi also announced that he’s taken action to correct procedures that kept the Uber cyber-security incident from being reported until now. He said that two of the employees who led the response to it are no longer with Uber, and they’ve started to notify drivers individually if their license numbers were downloaded. They’re also offering free identity theft protection and credit monitoring to affected drivers and notifying regulators of the incident.
He added that they’ve seen no signs of fraud related to what happened, but they have flagged affected accounts to provide them with extra protection against fraud.