After a Year of Secrecy, Uber Data Breach Revealed

Hackers stole data on 57 million people, including names, email addresses, phone numbers

Sign with logo at the headquarters of car-sharing technology company Uber in the South of Market (SoMa) neighborhood of San Francisco, California, with red vehicle visible in the background parked on Market Street, October 13, 2017. SoMa is known for having one of the highest concentrations of technology companies and startups of any region worldwide. (Photo by Smith Collection/Gado/Getty Images) GettyImages-865966004

Uber announced Tuesday that in late 2016 it was hit by a data breach that exposed the personal information of 57 million people, including customers around the world and 600,000 drivers in the United States.

According to Uber, the compromised data included names, personal e-mail addresses, and phone numbers of its customers. The ride-sharing company says there’s currently no indication that trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were stolen. The drivers’ information that was taken included names and driver’s license numbers.

According to multiple reports, two hackers accessed a page on GitHub, a website for software collaboration, that was used by Uber programmers. There, the hackers obtained log-in credentials that let them access customer and driver data through Amazon Web Services, a cloud platform employed by many companies.

Bloomberg News reported that former CEO Travis Kalanick learned about the breach shortly after it happened. Instead of reporting that customer data had been exposed, as is required by state laws, Uber reportedly paid the hackers $100,000 to relinquish the data and keep quiet about the breach, the report says. The company's security chief, Joe Sullivan, and a subordinate were terminated, according to the report. Kalanick stepped down from his position in June 2017, following a series of unrelated scandals.

“None of this should have happened, and I will not make excuses for it,” said Uber CEO Dara Khosrowshahi in a letter posted on the company’s website.

New York to Launch Investigation

The Uber breach is the latest in a series revealed this year from companies including Equifax and Yahoo and affecting hundreds of millions of consumers.

The news comes just a few months after Uber settled an investigation of its security practices by the Federal Trade Commission that was launched in response to a 2014 data breach.

Consumer Reports reached out to the FTC about the newly reported data breach, but spokesperson Juliana Grunwald Henderson said, “We have no comment at this point.”

New York Attorney General Eric Schneiderman is launching an investigation into the hack, spokeswoman Amy Spitalnick said, according to reports published in USA Today and other outlets. Uber had reached a settlement with Schneiderman regarding the company's failure to promptly disclose the 2014 data breach, along with undisclosed tracking of some riders' locations.

“At this point in time I don’t think anyone can have any confidence that companies can keep their data safe," says Casey Oppenheim, co-founder of the data security firm Disconnect. "That being said, it’s completely egregious, inappropriate, and probably illegal.”

Oppenheim suggests that if corporations were routinely held financially accountable for such data breaches, it would serve as a deterrent to future breaches.

"Corporations have a fiduciary responsibility to their shareholders and if they think they can get away with cutting costs when it comes to securing data, they're going to keep doing that unless they see there's a potential financial downside—a huge company being taken down for a failure to consider privacy and security," Oppenheim says. "It's time for that to happen."

Maureen Mahoney, public policy fellow at Consumers Union, the policy and mobilization arm of Consumer Reports, called Uber's failure to report the incident a "breach of trust."

“It was absurd and illegal for Uber to hide this data breach for a year,” she said. “And this is far from the first time that Uber has simply ignored legal protections because it found them to be unnecessary or inconvenient.”

What Consumers Can Do

Uber said it will notify drivers whose license numbers were downloaded, and provide those drivers with free credit monitoring and identity theft protection. However, the company is not taking any steps for the consumers whose data was compromised beyond “monitoring the affected accounts."

What can customers to do to protect themselves? The first step is simply to be aware of suspicious activity on your account. The company has posted on its website instructions on how to report unusual activity.

The next step, according to Oppenheim, is to create a secure email address that’s separate from the email that was compromised in the Uber attack. If you were using the same email address for both Uber and other accounts containing valuable or sensitive information—such as banking, credit, or health records—switch those accounts to the new email account.

From there, be scrupulous about maintaining the integrity of the secure account, while using the potentially compromised email for low-risk activities such as signing into shopping sites. "Everyone should have what I call a 'burner' email," Oppenheim says. "One that they don't mind giving out to everyone. It's a go-to that's not tied to your personal information, and where you don't care that much if it gets hacked."

He also suggests being judicious when giving out your phone number.

Uber’s service is one that requires you to provide a valid mobile number. But in general, Oppenhiem suggests thinking twice sharing your digits.

“It’s a direct marketing channel to you, perhaps the most direct,” he says. “So when you’re filling out a random form, ask yourself ‘Do they really need to know my phone number?’"

Correction: An earlier version of this story stated that Uber was required by federal and state laws to report the exposure of customer data. In fact, only only state laws require such reporting.

You’ve Been Hacked

Have you experienced suspicious activity on your online accounts? On the "Consumer 101" TV show, Consumer Reports expert Thomas Germain explains how to take back control of your digital privacy.

Allen St. John

I believe that technology has the power to change our lives—for better or for worse. That's why I’ve spent my life reporting and writing about it for outlets of all sorts, from newspapers (such as the Wall Street Journal and the New York Times) to magazines (Popular Mechanics and Rolling Stone) and even my own books ("Newton’s Football" and "Clapton’s Guitar"). For me, there's no better way to spend a day than talking to a bunch of experts about an important subject and then writing a story that'll help others be smarter and better informed.