Uber confirms personal information of 57 million users and drivers was hacked

Hackers stole the personal information of 57 million Uber users and drivers last year, the taxi-hailing company's chief executive has revealed.

In a blog post, Dara Khosrowshahi, who took over in August, said he recently learned that two individuals outside the company "inappropriately accessed user data" in late 2016.

Stored in a third-party cloud-based service, Mr Khosrowshahi said the personal information of 57 million Uber users and drivers worldwide had been hacked.

This included names, email addresses and mobile phone numbers, as well as the names and number plates of some 600,000 drivers in the United States.

Mr Khosrowshahi said in the post: "At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals.

"We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed."

Bloomberg, the first to report the story, said that Uber paid $100,000 to the hackers to delete the data and keep the breach under wraps.

Mr Khosrowshahi said there had been "no indication" trip history, credit card details, bank account numbers or dates of birth were downloaded by the hackers.

"While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection," Mr Khosrowshahi said.

"None of this should have happened, and I will not make excuses for it.

"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."

Dermot Williams, Managing Director of Threatscape has said, "Uber has said the 600,000 affected drivers were all in the USA, but it seems the 57 million users whose information was stolen are located around the world.

"How many were in Ireland or the EU is not year clear – but were a breach like this to happen after May 2018 when GDPR is in force, the potential fines for a large breach of EU consumer data would be enormous and a 13-month delay in notifying the authorities would be unthinkable."

Responding to Uber CEO Dara Khosrowshahi’s blog post on the breach Mr Williams said: "Khosrowshahi is quick to point out that the incident ‘did not breach our corporate systems or infrastructure’ – but this is misleading as online companies rarely own the systems they use to store and process data, instead renting capacity from cloud providers such as Amazon, Microsoft and Google.

"A key aspect of the cloud era is that while a company like Uber may not be responsible for the operation of the third-party cloud services it uses, it is still very much accountable for the security of customer data stored there – including ensuring its personnel carefully guard the passwords for accessing that data. In this respect, Uber dropped the ball."

For Irish Uber customers Mr Williams advises: "Make sure you're not using the same password for Uber as you're using for other websites or online services, and if you are you need to change these as a matter of urgency.

"Also while Uber do not believe customer credit card information was stolen, it always prudent to monitor your statements for any unauthorised transactions."


More in this Section

Sir Richard Branson steps down as chairman of Virgin Hyperloop One

Firm fined for unsolicited spam e-mails and marketing calls

Four members of prominent Dublin family being sued in relation to alleged debts of over €5.6m

Judgement reserved on whether An Bord Pleanála breached obligations over Apple data centre plan


Breaking Stories

Ask a counsellor: ‘I’m scared my messy relationship history will put my new partner off me’

Whole world in their hands: Icons design globes in aid of GOAL

Nerina Pallot dancing to her own tune

Little-known plan could save you inheritance tax

More From The Irish Examiner