According to Bloomberg, the popular ridesharing app was hacked in October 2016, resulting in the disclosure of the personal information of roughly 50 million customers and 7 million drivers. After infiltrating Uber’s database, hackers were able to steal names, email addresses and phone numbers. While no payment information or Social Security numbers were accessed, this incidence has raised newfound concern regarding the privacy of ridesharing apps.
So, how did the cyber attack happen? The breach reportedly stemmed from the GitHub website, which Uber software developers accessed on a regular basis. Two hackers were able to access GitHub and steal the developers’ login information. The hackers then used the developers’ usernames and passwords to access their Uber accounts on Amazon Web Services (AWS). This offered a treasure trove of data, including some 57 million personal records.
Uber Security Chief Joe Sullivan responded to the data breach by paying the attackers $100,000 — a move for which Uber is now being criticized. Most cybersecurity analysis agree that paying any ransom or demand issued by a cyber criminal is the wrong approach. It encourages them and other cyber criminals to continue their illegal activity, and there’s no guarantee that the criminal will follow through which his or her end of the deal just because the victim has paid.
Of course, this isn’t the first time Uber has come under fire for its lax privacy security. As explained by Tech Crunch, the company settled a privacy investigation with the Federal Trade Commission (FTC) in 2016 for a separate incidence that occurred in 2014. This incident was smaller, however, resulting in the disclosure of some 100,000 drivers’ personal information.
It’s important to note that the 2014 data breach also involved the coding website GitHub. According to Tech Crunch, Uber posted the login credentials for its AWS database on GitHub. Hackers were then able to use these credentials to access the company’s data and steal its drivers’ personal information.
The FTC responded to news of Uber’s latest data breach by saying it’s evaluating the case. This could mean trouble for Uber since the 2014 settlement placed new restrictions on the company’s privacy policies. If it violated the settlement’s consent order, Uber could face additional fines and penalties.