Uber Waits Months To Admit Data Breach, 50,000 Drivers Exposed

With more and more of our information online, it seems that data breaches are becoming more and more common. There is almost a standard protocol, now, for companies to report these issues responsibly. They alert the affected users as soon as possible (a delay of a month or two is sometimes necessary to avoid compromising internal investigations), advise them to watch for fraudulent activity, and often offer a one year subscription, free of charge, to an identity theft monitoring service.

With their recent data breach, it seems that Uber broke all the rules.

According to Tech Week, Uber discovered in September that a data breach had taken place in May, 2014, which led to the theft of the names and driver’s licence numbers of about 50,000 drivers.

The company said it immediately restricted access to the database in question and began an “in-depth” investigation.

In an unusual twist, Uber said it discovered the hack last September, more than five months ago.

According to Tech Week, Uber’s home state of California does not specify a length of time during which customers must be notified about a data breach, though the Wall Street Journal clarifies that

the law requires companies who lose consumer names and another piece of personal information, including a driver’s license number, to tell those affected “in the most expedient time possible and without unreasonable delay.”

The Wall Street Journal also spoke to Brian Finch, an expert in cyber security and data-breach law with Pillsbury Winthrop Shaw Pittman law firm in Washington, D.C. Finch stated that unless Uber’s delay was due to cooperating with law enforcement, it does seem to be an excessive length of time.

Katherine Tassi, managing counsel of data privacy for Uber, said in a blog post

  • To date, we have not received any reports of actual misuse of any information as a result of this incident, but we are notifying impacted drivers and recommend these individuals monitor their credit reports for fraudulent transactions or accounts.
  • Uber will provide a free one-year membership of Experian’s® ProtectMyID® Alert. If impacted driver partners have questions or need an alternative to enrolling online, please call (877) 297-7780 and provide the Engagement number listed in the notification letter.

Uber is far from the only high profile target of data breach. Sony was also recently targeted by hackers, as reported here by Inquisitr. Target lost a large amount of customer information last year, and smaller breaches happen all too often.

As for consumers, the advice remains the same. Keep a close eye on your accounts, and if you see any signs of data breach or fraudulent activity, investigate immediately.

[Image by Sergi Alexander/Getty Images]