Passengers and drivers alike recently found out that Uber paid hackers $100,000 to cover up a data breach that compromised the driver and rider accounts of at least 57 million people. We also found out that Uber kept this information secret for more than a year. So how bad is this data breach and what should you do about it? Today, senior RSG contributor Will Preston covers the breach, how it affects drivers and riders, and what you should do today to protect yourself.
Depending on where you read about the Uber data leak, combined with what you already think about Uber’s ethics, you may be anywhere from mildly concerned to completely outraged. As a person who has made most of his living protecting other people’s data, I am much closer to the latter than the former. I will explain why I am so outraged, and give some advice on what to do.
Note: You can read Uber’s official statement about the hacking incident here.
What Happened?
In October 2016, hackers downloaded data the full names, email addresses and phone numbers of 57M riders, as well as obtained the driver’s license numbers of 600,000 US drivers. Uber says they “took immediate steps to secure the data, shut down further unauthorized access, and strengthen our data security.”
Multiple outlets have reported that the immediate step Uber apparently took was to pay the hackers $134K to destroy the data they stole. Additionally, Uber did not immediately notify riders or drivers of the hack. “We think this was wrong,” Dara Khosrowshahi, the new CEO of Uber says in a blog post.
No kidding. Not only was it wrong, it was also illegal in 48 states to not notify people of a data breach. More on that, but first, what does this mean for passengers and drivers?
Is This a Big Deal for Passengers?
While the passenger information obtained seems relatively minor – since it didn’t contain either driver’s license numbers or Social Security numbers – it isn’t minor when you consider how phishing attacks work.
57 million riders can now be sent an email addressed directly to the person involved, using the name Uber refers to them by, in order to attempt to get their Uber password. And that is exactly what is already happening, according to this Twitter user.
This is one of the reasons why not reporting it at all is the real problem here. Even now that Uber has chosen to report this to the media, they are telling riders there is nothing to worry about. Nor are they telling any riders if they were affected by the breach.
Is This a Big Deal for Drivers?
A hacker can definitely do damage to your reputation using your driver’s license number. They can’t open accounts in your name unless they have your Social Security number and date of birth, but they can still do damage.
They can give the driver’s licence number to a cop that stops them, or they can create a fake ID that is used in other crimes, such as bouncing bad checks in your name. You could find yourself under indictment for check kiting without ever having written a check.
In addition, the driver’s license is just one more piece in the puzzle of your life. Hackers may already have your name, date of birth (DOB), and Social Security number from the equifax breach. Tying your driver’s license number to that makes the portfolio that much stronger and valuable.
Just like riders, drivers need to be on the lookout for phishing scams that use this data breach to try and get you to reveal your password. The best way to thwart them now is to immediately go change your Uber password. Then you can ignore any messages telling you to do so.
This Was a Direct Violation of Multiple State Laws
As of this writing, 48 states and territories (including DC, Puerto Rico, and the US Virgin Islands) have enacted laws requiring notification of security breaches involving personal information. Only Alabama and South Dakota have no such law.
By failing to notify those affected – especially the 600,000 drivers where drivers license numbers were stolen – Uber may have actually committed a crime in 48 states and territories.
And this was not like the crimes they allegedly committed with “Grayball,” the secret program designed to help Uber drivers evade regulators where Uber wasn’t exactly legal. That “crime” had a “Robin Hood” feel to it, allowing Uber drivers (the Robin Hoods) to give customers a superior, cheaper service than taxis, while evading the authorities (the Sheriff of Nottingham).
No such spin is possible here. The only thing Uber was protecting by not going public with this breach was Uber’s own reputation. Unfortunately, this announcement will likely do more damage to their reputation than the original one would have.
Blatant Disregard for the Safety of Customer and Driver Information
Even if there weren’t 48 state laws that require immediate notification of such breaches, the fact that Uber would not notify its customers and drivers of a data breach shows blatant disregard for the safety of their information. The new CEO, Dara Khosrowshahi, says that everyone who was responsible for this has left the company. But the environment in which those people flourished is still there. He has a lot of work to do to clean up the culture of the company.
It Shows an Alarming Naivete About Data Leaks and Hackers
Multiple reports indicate that Uber’s response was to pay the hackers $134K to “destroy the data.” Khosrowshahi’s blog post said that they “subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.” First, this falls under the auspices of never negotiating with terrorists, because it only emboldens them. Hackers now know that they can extort money out of Uber if they steal its data.
Second, data is not like a car. You can’t just give it back, nor can you count on a hacker to destroy said data. Whatever assurances Uber was given were given by criminals. Once data is stolen, you must assume it is everywhere. The Internet never forgets. Just ask any of the celebrities whose nude photos ended up online.
What Should You Do?
I haven’t gotten a single e-mail from Uber about the hack or seen any type of in app notifications. There are a few things you can and should do to respond to this breach. You might find some of them strange, but this is the world we are in.
Tell Uber you want to be notified
If you want to find out if you’ve been hacked, you can go to this page about the incident and ‘opt in’.
Unfortunately, this does not immediately notify you if you have been hacked. It simply tells Uber that you want to be notified if you’ve been hacked. Hey Uber! We all want to know if we’ve been hacked! I’m shaking my head on this one.
I did receive an email from Uber support the next day telling me my driver’s license was not included in the download (but Harry got one that said he had been hacked)
Immediately change your Uber password, and anywhere else you used it
The standard response to such an event is to immediately change your password to the affected account. I would also tell you to enable two-factor authentication, but Uber does not appear to support that yet.
You should also change the password on any accounts where you used the same password you used on your Uber account. That, of course, brings up another issue.
Don’t reuse passwords
You should never use the same password on multiple accounts. Reusing passwords significantly increases your risks if one of your accounts is breached. Since the number of accounts we have in the modern world can be measured in the dozens or hundreds, the best way to handle this is to use a password manager such as OnePass or Dashlane. Personally, I use Dashlane and love it.
Use good passwords
Learn what makes a good password and follow those suggestions. The best advice I can give you is that longer is better. An 8-character password can be guessed by modern computers in about fifteen minutes. Guessing an 11-character password would take 53 years.
Take the free credit monitoring, but watch for caveats
If you are offered free credit monitoring from Uber, I’d say take it. There is nothing wrong with monitoring your credit. It does not hurt your credit to do so, and you might learn a few things in the process.
One thing to watch out for, though. If you are considering suing Uber, check any agreement for a waiver of rights. The Equifax breach, for example, also offered free credit monitoring. But if you took them up on it, you waived your right to sue them. (This waiver has since been removed.)
This is the Worst Thing I’ve Ever Seen Uber Do
I’ve taken a lot of heat from some readers for defending Uber over UberPOOL, upfront pricing, and other things. I was always able to see Uber’s side of the story. This is not the case with this story.
Uber’s actions here were potentially criminal in almost every state and territory, and show a massive disregard for the privacy of customer data. Even the blog post describing the incident attempts to spin it in a way that doesn’t reflect reality. The irony that this happened in the midst of the 180 days of change and on the same exact day they released Chapter 6 is also not lost on me.
Readers, do you have any questions about the hack? Make sure to visit this page and tell Uber to let you know if your account was compromised.
-Will @ RSG