Back in October 2016 there was a cyberattack against Uber that exposed 57 million users personal information. Uber acknowledged on Tuesday that two individuals had accessed and downloaded data on Uber riders and drivers that was stored in a third-party infrastructure system. As part of the cyberattack, the names and driver license numbers of around 600,000 drivers were accessed, according to Uber. 57 million users also had their information exposed, including names, emails, and mobile phone numbers, the company said in a blog post. Uber said other personal information, including trip details or credit card information, was not accessed.
Uber’s then-CEO Travis Kalanick first learned of the incident in November 2016, according to Bloomberg, the company’s chief security officer, at the time, and one of his deputies covered up the attack. This included a payment of $100,000 to the two hackers who had accessed the data in exchange for their promise to keep quiet and delete the information. As a result, Uber’s new CEO Dara Khosrowshahi has reportedly asked for the resignation of Uber’s Chief Security Officer, Joe Sullivan, and a lawyer who reported to him.
The latest news about the data breach is just one of many bad decisions that Khosrowshahi has had to inherit since Kalanick was ousted from the company in June. The company is facing several other federal investigations into its business practices and is preparing to stand trial next month. “None of this should have happened, and I will not make excuses for it,” Uber’s CEO Khosrowshahi said. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Hackers have successfully infiltrated many companies in the past few years. The Uber breach, while large, is overshadowed by those at Yahoo, MySpace, Target Corp., Anthem Inc. and Equifax Inc. What’s more alarming are the extreme measures Uber took to hide the attack. The company maintains that individual riders don’t need to take any action since Uber has “seen no evidence of fraud or misuse tied to the incident.” It’s not always that simple as any data breach can be significant, since the personal information included in most accounts can be used to engineer everything from identity theft to phishing operations.
Since Uber is apparently unwilling to let individual customers know whether they were affected by the breach at this point, it’s not a bad idea to assume you were. And, as a precaution, and we’re sure you’ve heard this before, it’s time change your passwords—again. Once that’s done, check your accounts for fraudulent activity. Then you could always set up credit monitoring to ensure no one is using your personal information. It’s the lowest level of defense, but it’s better than nothing.