Ride-hailing service Uber has confirmed that as many as 2.7 million people in the UK were among the 57 million who were impacted by a 2016 hacking incident that the company hid from customers and regulators for over a year.
Uber had paid £75,000 to hackers to keep a major data breach hidden from public view until new CEO Khosrowshahi decided to come clean and reveal the incident.
In a fresh statement, Uber has confirmed that last year’s data breach incident, which occurred after a couple of malicious individuals accessed login credentials for one of Uber’s Amazon Web Services servers from coding site GitHub and stole personal details of registered Uber drivers as well as millions of customers, impacted as many as 2.7 million Britons, including both drivers and riders.
The breach incident took place in October last year under the watch of Travis Kalanick, Uber’s controversial co-founder who stepped down from the post of CEO in June this year following a near-revolt led by the company’s investors. After the breach was discovered by the company’s new management, Joe Sullivan, the company’s security chief and Salle Yoo, it’s chief legal officer, were fired for their response to the incident.
Despite the fact that personal information of millions of people were impacted, Uber said that affected people need not take any action as there is no evidence of fraud or misuse tied to the incident.
‘We are monitoring the affected accounts and have flagged them for additional fraud protection,’ Uber added.
Following Uber’s admission, the National Cyber Security Centre said that even though the breach involved user names, email addresses and mobile phone numbers of 2.7 million Brits, the stolen information does not pose a direct threat to people or allow direct financial crime.
However, the cyber security watchdog asked users to remain vigilant and to contact Action Fraud if they believe their personal details have been misused. At the same time, victims should also be vigitant against suspicious phone calls or targeted emails.
Last week, after details emerged about last year’s data breach, the Information Commissioner’s Office had warned that Uber could face huge fines for deliberately concealing the breach both from citizens and regulators.
‘We are working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.
‘It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,’ said James Dipple-Johnstone, deputy commissioner, ICO.
A flash survey of 500 smartphone users in the UK conducted by Egress has also revealed that following Uber’s concealment of the breach for over a year, more than half of respondents have decided to delete the Uber app and use alternate ride-hailing services.
53% of such users also said that they will delete their Uber apps because of Uber’s dishonesty in trying to hide the breach. Ironically, 67% of people also said that despite the breach, they wouldn’t change their passwords.
‘Interestingly here it’s the fact that Uber covered up the breach that seems to have got people’s backs up, clearly showing how important honesty is when dealing with such incidents. The simple fact is that when this kind of thing happens, your customer base and bottom line are going to suffer so it has to be dealt with responsibly. While, in the UK, Uberhas fewer direct competitors than in other parts of the world, controversies like this are going to drive customers away,’ says Tony Pepper, co-founder and CEO of Egress.
‘Consumers are becoming increasingly more aware of the risks to their personal data, so there’s only going to be fewer places to hide these incidents in future. However, I’d also expect more people to be taking proactive steps than we’ve seen here to mitigate any potential impact to sensitive data stored elsewhere, for example by changing passwords, so it’s clear more needs to be done to support citizens in the wake of data breaches and educate them in the best steps to take following such incidents,’ he adds.