The explosive revelation that Uber, the ride-sharing company, had covered up a significant data breach has taken another turn.
Today it has been revealed that the majority of Uber users in the UK were affected by the covered up hack, which saw names, email addresses and phone numbers stolen.
“In the United Kingdom [the hack] involved approximately 2.7m riders and drivers,” Uber said in a statement. “This is an approximation rather than an accurate and definitive count because sometimes the information we get through the app or our website that we use to assign a country code is not the same as the country where a person actually lives.
“When this happened, we took immediate steps to secure the data, shut down further unauthorised access, and strengthen our data security.”
The ride sharing company says that there are five million active passengers and 50,000 drivers in the UK.
Last week, it came out that 50 million customers and 7 million drivers had their details stolen in October due to a security flaw in Uber’s system. The Information Commissioner’s Office has said due to length of time it has taken to report the incident, the chance of a fine will increase.
In an attempt to cover up the breach, Uber paid the hackers £75,000 to delete the data and keep quiet – a plan orchestrated by former chief executive, Travis Kalanick.
Responding to the breach, London’s mayor Sadiq Khan said: “This latest shocking development about Uber will alarm millions of Londoners whose personal data could have been stolen by criminals. Uber need to urgently confirm which of their customers are affected, what is being done to ensure these customers don’t suffer adversely, and what action is being taken to prevent this happening again in the future.”
“The public will want to know how there could be this catastrophic breach of personal data security.”
Christopher Day, chief cyber security officer at Cyxtera, claimed the latest news is disturbing, in its scope and blatant abuse of public trust.
“Paying criminals to delete stolen data and failing to notify victims is disturbing on multiple levels. At a minimum, it flies in the face of ethics and transparency. It emboldens attackers and keeps the cybersecurity community from understanding techniques that could help other organisations prevent a similar attack. From a legal perspective, Uber failed to properly notify victims. This will inevitably cost the company dearly in terms of penalties and lawsuits. In fact, UK regulators are digging in already to understand the scope; which could trigger GDPR-related fines. The New York State Attorney General’s office is also investigating the event.”
“From what we know, attackers accessed GitHub, a code repository hosting service used by Uber developers. They obtained login credentials and hacked into a server storing data about Uber riders and drivers. This is a fairly ‘vanilla’ attack in terms of its sophistication. It could have been prevented by locking down access using an approach like a software-defined perimeter (SDP). Essentially, SDP isolates the user from accessing resources they aren’t entitled to see by leveraging multiple factors. It takes into consideration what the user is trying to do at the time they’re trying to do it. For example, in this case, the system could have required the hackers to present a one-time password before granting access to the server.”