How Bad Is the Uber Data Breach?

Though the information stolen in Uber's hack may not look that valuable, many consumers may still be hurt by the breach

Uber hack concept GettyImages-507065943

Though the Uber data breach revealed this week wasn’t nearly as large as hacks involving Equifax and Yahoo, it still exposes consumers to increased security threats, according to cyber-security experts.

Uber acknowledged the hack on Tuesday, saying the stolen data—involving 57 million people worldwide—included names, personal email addresses, and phone numbers of customers. The breach also included the driver’s license numbers of 600,000 U.S. Uber drivers.

“Every time we lose another piece of private information to people with malicious intent, it’s never a good thing,” says Chester Wisniewski, a principal research scientist for the cybersecurity firm Sophos.

According to the ride-sharing company, the stolen files did not include financially sensitive information, such as credit card numbers, bank account numbers, Social Security numbers, or dates of birth. It also did not include trip location histories.

Even so, scammers could use names and email addresses to target and personalize phishing emails, increasing the chance that people might unwittingly hand over login information or click on a link that takes them to a malicious website.

You might think you're getting an email from an organization or person who knows you, but it's really from crooks who can now match your name with an email address to gain your trust.

At this time of year, cyber criminals often send out emails that look like shipping notifications or solicitations from charities for holiday donations.

They also can use the stolen information for old-school phone scams, which are much more effective if the scammer knows your name and address.

All the ploys can result in stolen identities, links that install ransomware on computers, and various scams that bilk people out of their hard-earned money.

As for the driver’s license numbers, the good news is they’re not really that useful to hackers here in the U.S., Wisniewski says.

Bloomberg News has reported that former Uber CEO Travis Kalanick learned about the breach shortly after it happened a year ago. But instead of reporting that customer data had been exposed as required by state laws, the company allegedly paid the hackers $100,000 to relinquish the data and keep quiet about the breach.

Uber's security chief Joe Sullivan and a subordinate have since been dismissed, the company says. Kalanick stepped down from his position in June 2017, following a series of unrelated scandals.

More Laws Needed

This latest breach highlights the lack of corporate accountability when it comes to protecting customer and employee data, says Justin Brookman, director of consumer privacy and technology policy for Consumers Union, the policy and mobilization division of Consumer Reports.

He says current U.S. laws don't do enough to make companies proactive about shielding data from savvy hackers.

"Congress has failed to act for far too long to pass security legislation that includes robust penalties and enforcement for companies that disregard the law," he adds. "The time for Congress to act is now, before the next breach happens."

In an earlier incident, Uber waited six months to tell its users about a 2014 breach and ended up paying a $20,000 fine to New York State. The company did not pay any penalties to the Federal Trade Commission as part of a settlement reached this year following an investigation into Uber's security practices.

All but a few states have breach disclosure laws that require companies to inform them when the personal information of their residents has been compromised. The companies can face fines and other penalties for violating those laws, says Steven Rubin, a partner and co-chair of the cybersecurity practice at the New York-based law firm Moritt Hock & Hamroff.

According to Mark Nunnikhoven, vice president of cloud research for the internet security firm Trend Micro, that sort of transparency is critical.

“Stiff fines are needed for organizations that fail to be transparent and fail to put in the effort needed to protect personal information," he says.

New York State Attorney General Eric Schneiderman has launched an investigation into this latest Uber breach, according to a spokeswoman in his office.

The Federal Trade Commission also could take some sort of action. On Wednesday, an FTC spokeswoman would only say that the commission is aware of the press reports describing the breach, along with Uber officials’ actions following it, and is “closely evaluating the serious issues raised.”

Bree Fowler

Bree Fowler

I write about all things "cyber" and your right to privacy. Before joining Consumer Reports, I spent 16 years reporting for The Associated Press. What I enjoy: cooking and learning to code with my kids. I've lived in the Bronx for more than a decade, but as a proud Michigan native, I will always be a die-hard Detroit Tigers fan no matter how much my family and I get harassed at Yankee Stadium. Follow me on Twitter (@BreeJFowler).