In a recent, ground shaking news release, Uber stated that a year ago it had undergone a hacker attack that had taken 57 million passengers and drivers account information, only deleting their copy after Uber paid them $100,000. The breach itself was an important issue to divulge as and when it happened, the fact that Uber kept it secret for over one year is of major concern. What is even more problematic is that it came only a few months after a previous attack and that Uber had promised to tighten up its security. So, questions arise as to the true nature of your account security in Uber's systems.
The Hack Attack Explained
During October 2016, hackers managed to access Uber's servers and download 57 million passenger details and 600K driver account details including their driving license numbers. The hackers then demanded $100,000 for the destruction of the data which Uber paid. Uber also withheld the attack information from the public which is in direct violation of 48 States regulations as well as Federal laws.
Uber’s new CEO Dara Khosrowshahi stated that this was highly unethical and extremely wrong and that is why he notified authorities of this leak after he was made aware of it upon starting his new position. However, we know that he knew of the attack for months before he released the information, so is there a crack in his so called shiny suit of armor? If he knew of the attack upon entering his official role, why did he wait for over a month to publicize it? This is a further breach of the law.
What does this mean for Passengers?
The passenger information that was hacked did not contain sensitive information such as social security numbers, financial information or driving licenses. However, it did contain names, addresses and contact information, which is more than enough for phishing attacks.
Once a phisher has the relevant information to imitate an Uber, staff member, all they need to do is send out fake e-mail messages to Uber passengers, using the details they already have to gain access to unsuspecting clients that will click on fake links leading them to give their attackers their Uber password, which is enough for an attacker to hack their account and get their credit card details and any other information online.
Also, since hack attacks are not singular, some hackers involved in the "dark web" can access more hacked data and cross-link information, building up a complete profile of a person and then using it for such nefarious uses including one of the most heinous; identity theft.
No one can actually prove the hackers deleted the information, after all, they could have made any number of copies and stored them in many places for future use.
What does this mean for Drivers?
The same with passengers, but worse for drivers. Once the hacker has a driving license number to go with a name it is easy, or even better, a scanned image of a driving license that will give them all the relevant details including a photo. They can start to develop identity theft documents that can place a person in a precarious situation. Drivers are especially susceptible to this since their licenses can be copied and used by other people when pulled over by police. They can be used to build up a complete identity when stole data is cross-linked and combined with social security numbers.
They can also do phishing attacks on drivers, making themselves appear to be Uber asking for relevant information that will give the phisher access to the driver's account and there they can take more details such as social security, financial details and even change information so that driver's income will be channeled to a new account.
48 States Violations
48 US states including DC, US Virgin Islands, and Puerto Rico have laws regarding mandatory notification of security breaches. Uber's failure to notify these 48 states is a criminal act and as such opens them up to lawsuits from both the State and the person whose information was stolen. So, effectively Uber is open to 48 State level lawsuits and a 57 million class action.
Since Uber had not notified the authorities of this action a year ago, we have to ask, what does it serve them to notify it now? What reason did they have to come clean, knowing the damage and fall out this information will lead to? Uber CEO Dara Khosrowshahi states that everyone involved in the issue has left the company, but either he is naïve, or he doesn't understand the law, it's not the people that are being sued it's the company, its Uber and Rasier LLC and all the other subsidiaries that drivers signed up with as well as passengers that signed on to Uber. They did not sign onto Travis Kalanick or any other individual; they signed on to Uber. In doing so, Uber is the entity being sued not the individual.
Does Khosrowshahi think that because he is cleaning up a house that the law will overlook the chance to get some payback for past crimes? It's not about the attack or the people behind it; it's about getting money out of a big fat juicy $60 billion company and States as well as Lawyers representing clients will all have a field day on this one, since there is only one conclusion; Guilty! So, it's more about how much the courts will judge to be appropriate payback and not if the judge thinks so. One other important fact is that Khosrowshahi lied too, the main instigator and reason for how the attack was dealt with still sits on the executive board and is a major shareholder in Uber, that is Travis Kalanick.
Uber Data Security Naivety
One big issue I mentioned above is how sure Uber can be that the attackers erased the data? They can't be sure, and that's because they didn't involve the authorities that have the tools to evaluate the issue and deal with it on all levels. By keeping this issue, I house, by paying out the ransom and by not notifying the public and the authorities, Uber showed criminal naivety in dealing with the situation, criminal in that they had enough security personnel and legal counsel to state the obvious. So, a question arises; who stated the obvious and who disregarded it? Another question arising after all of this; what has Uber done to assure the public and the authorities that their servers are now secure?
What do you do now?
There are a number of things that both drivers and customers can do to try to prevent such a situation from arising, although they are all secondary to the actual occurrence happening. They are more of a preventative measure to secure other data if an attack occurs.
-
You must "opt-in" for receiving hacker notifications.
This won't stop you from being a part of a hack attack; it will just tell Uber that you want to be notified of any security issues that arise from time to time. -
Change your passwords in Uber as well as change them in any other online app you use. We also suggest that you do not use the same password for every app you are liked too.
-
Use a password manager app or use a password combination for different accounts. This will enable you to remember which passwords you used for which accounts. You don't need to come up with totally different combinations, but try to make subtle changes that will be easy for you to remember, that is if you don't trust putting your passwords down on a third-party app.
-
Password combinations should be a minimum of 8 characters and should include a capital letter, a number and if possible a unique symbol. Although, just for you to understand how computers decode passwords, any 8-character password can be decrypted by a computer within 15 minutes, while an 11-character password will take them about 53 years to crack.
-
Free Credit Monitoring by Uber is a useful service to join; it doesn't affect your credit, all it does is monitor its use via the app so if any irregularities arise you will know about them.
Conclusions
Uber has done some incredibly bad things in the past and is currently being investigated for industrial espionage in the Waymo case. Even front-end pricing irregularities with driver pay are bad, but this case is the worst. It shows how Uber's executives blatantly disregarded Federal and State laws that affect their customers and employees as well as drivers. This is, in fact, proof that Uber executives didn't care less about anyone but their target, and would do anything to reach their target even if it meant destroying 57 million lives on the way. Can you imagine what would have happened had those files included social security and credit card details? The fallout would have been nuclear. The fact that they didn't doesn't change the way Uber approached the attack. Bottom line is the new Uber executive change enough or should Uber face the full brunt of the law, especially when Travis Kalanick is still an executive board member and major shareholder of Uber, as well as the chief instigator of how the attack was dealt with.