50,000 Drivers Compromised by Uber Data Breach

Ridesharing service Uber recently issued a statement confirming a breach in one of the company’s databases, affecting nearly 50,000 drivers. Uber claims that a “one-time unauthorized access to an Uber database by a third party” occurred in May 2014, and the company discovered the breach in September 2014. While the breach occurred nearly one year ago, Uber has just now revealed the news to the public.

Uber Hack Compromises 50,000 Drivers

50,000 Drivers Compromised by Uber Data Breach50,000 seems like a large number, though Uber states that this is a “small percentage of current and former Uber driver partners”. According to the results of Uber’s investigation, only the names and driver’s license numbers of the affected users were compromised. After Uber discovered the breach, they immediately patched the vulnerability and changed the database’s access protocols. Furthermore, the company claims to “have not received any reports of actual misuse of any information as a result of this incident”.

However, Uber is finally notifying impacted drivers and providing them with a free year of identity protection service from Experian’s ProtectMyID. The company has also filed what is known as a “John Doe” lawsuit intended to gather more information about the identity of the hacker(s). Uber has also subpoenaed GitHub to hand over IP addresses for anyone who accessed a particular gist post between March and September 2014. It seems that the gist (which is no longer available) contained a login key to Uber’s database. Uber’s security team knows the public IP address of the hacker, and hopes to trace it back to someone on GitHub. Specifically, the subpoena calls for,

“all records, including but not limited to transactional or other logs, from March 14, 2014 to September 17, 2014, identifying the IP addresses or subscribers that viewed, accessed, or modified these posts and the date/time of access, viewing, or modification, as well as any records or metadata relating to the browser (i.e., logged HTTP headers, including cookies) or device that viewed, accessed, or modified the posts.”

For now, it’s unclear how far these efforts will go, and Uber is remaining mostly silent about any of the details.

Images from Shutterstock.

I've always been interested in the latest stuff in science and technology, and I'm currently a freshman undergraduate electrical engineering student at the University of Texas at Austin.