The crowd-sourced alternative taxi-like service, Uber, admitted late Friday that an unauthorized third party gained access to the company’s internal database, stealing important drivers/employee information, while assuring no customer information had been stolen in the breach.
In Uber’s public statement, the company claims there was a “one-time access” to their database, where hackers stole names and license numbers of more than 50,000 “driver partners” located in various states throughout the nation. Uber claims the some 50,000 drivers data that has been breached is small, as the company claims it represents just a small percentage of current and former drivers.
The company claims the breach occurred May 14, 2014 and went undiscovered up til September 17, 2014.
“Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access,” Katherine Tassi said in a statement Friday, Uber’s managing counsel of data privacy. “We are notifying impacted drivers, but we have not received any reports of actual misuse of information as a result of this incident.”
Alongside Uber changing their access protocol following the Uber breach, the company is also filing what is known as a “John Doe” lawsuit, to help gather more information and possibly confirm the identity of the culprit or third party that caused the Uber security breach.
As common in data breaches we’ve seen in the recent years, Uber has contacted affected drivers and is offering them one free year of Experian’s identity theft protection service.
Concerns have been raised if the company really suffered a breach or if a third-party service Uber was working with exceeded their bounds. Information regarding the Uber breach is minimal.
Uber took proper steps to notify the public of the breach, almost complying with Obama’s newly proposed national data breach notification standard, a new piece of legislation that would require hacked company’s to notify the public of the breach within 30 days of the company’s knowledge.
It was not made clear how Uber came to the conclusion of a breach, which went unnoticed for over 4 months, was a one-time access, nor is it clear how the entire company can assure no customer data was impacted. Uber didn’t reply for further comment prior to publication.
Update May 3: Uber stored their sensitive database security key on a public Github page preceding the breach.