Uber Fined $148M Following 2016 Data Breach
Uber was fined $148M this week. The sanctions were levied after the ride-sharing company took a year to disclose a major data breach. The hack occurred in late 2016 yet Uber did not disclose the breach to the New York State Attorney General’s Office and the Federal Trade Commission until November 2017. Uber failed to inform affected drivers, customers, and the public that hackers had accessed the personal data of Uber drivers and customers. Previously, the New York Attorney General fined Uber $20,000 in January 2016 for failing to disclose a 2014 data breach. The new settlement was announced on yesterday.
The names, email addresses, and phone numbers of about 50 million Uber riders were compromised in the 2016 hack. The personal information of 7 million drivers was hacked including the driver’s license numbers of some 600,000 U.S app users. A forensic investigation, a common practice for data breaches, showed that rider trip histories, credit card numbers, bank account information, Social Security numbers, and birth dates were not downloaded
The hackers sent an email to Uber demanding a ransom of $100,000. Instead of reporting the hack, Uber hid the evidence of the theft and paid the ransom to keep news of the hack quiet.
How Did the 2016 Uber Hack Happen?
Two former Uber employees accessed a GitHub repository used by current Uber software engineers. The hackers used login credentials obtained from GitHub to gain access to data stored on an Amazon Web Services (AWS) which was also used by Uber engineers. The AWS cloud service contained the rider and driver personal information.
Not the First Time for Uber
At the time of the 2016 data breach, Uber was already under scrutiny for multiple privacy violations involving its ride-sharing app. The Uber app was used to track employees’ spouses and significant others. The app also had a mode known as Greyball that had helped drivers identify and avoid local officials and law enforcement in cities where Uber was meeting resistance.
Uber has a history of violating ethical concerns and pushing legal boundaries. The FTC had issued a complaint against Uber for violating data privacy standards when their app continued to track users who had uninstalled the app from their phones.
In October 2017, the Uber app was found to have constant access to iPhone screens even when the app was closed. Apple had granted the Uber app exclusive access to iPhones, using the Apple only entitlement “com.apple.private.allow-explicit-graphics-priority.” Entitlements are like the permissions on Android phones -asking users to access the camera, microphone, or contacts. The entitlement that Uber has employs allows their app to place things on your screen, usually images or maps.
Uber reached the agreement about the fine with all 50 states and the District of Columbia. The money from the settlement will be distributed based on the number of drivers in each state.
What is Uber?
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers