On Friday February 27th the popular car service, Uber, made it known that they had suffered a data breach on May 13th 2014. The breach itself wasn’t discovered until September 17, 2014 and the notification only went out just a few hours ago. I’m fairly certain that it is Friday (or at least it was when I started writing this) roughly six months after the breach was discovered.
Hmm.
The size of this breach is significant in that it affects roughly 50,000 drivers across the United States. Which, according to Uber’s Managing Counsel, is only a small percentage of the Uber driver base. In a blog post from Uber's website they state that the data which was accessed, by an unknown third party, only contained names and drivers licenses.
From the notification that was sent to affected Uber drivers:
We discovered in September that information allowing someone to access the database had been available without intended access restrictions. We immediately ensured that they database was no longer accessible using that information and have taken additional safety measures to protect your information.
My first question, as you might well imagine, how is it that it took the company 5 months to notice the intrusion in the first place? It strikes me that they were not doing proper monitoring and alerting in this case. A hard lesson to learn. As well, they do not give any indication as to how they discovered the breach in this case. If the credentials were readily available as the letter to drivers indicates it is entirely possible that a good samaritan dropped them a note.
The company is rolling out the standard one year of credit monitoring for the drivers that were affected by this data breach.
The blog post also indicated that the company has filed what is called a “John Doe” lawsuit in the hopes of collecting the necessary information to have charges pressed in the event that the attacker is identified. I’d hazard that this is an unlikely scenario.
Uber has been no stranger to data privacy issues. Case in point was the ‘God View’ story that broke which showed that the company had the ability to track riders at will. Hopefully for the sake of their drivers and customers these data privacy issues will become less common going forward.
The really odd thing that I have noticed is that data breaches have not been seen to have a material impact on stock prices. Case in point, companies such as
I do worry about the steady pace of data breach stories that keep popping up. In this particular case we see that this problem, at least appears to have been, easily preventable.
(Image taken as screen capture from Uber's website)
