Uber, how have you betrayed us? The popular ride share app revealed on Nov. 21 that a massive hack had exposed data for an eye-watering 57 million Uber users internationally. The hack, which occurred over a year ago in October of 2016, was kept secret for over a year, which honestly isn’t very reassuring. But now that we know about it, of course we all have the same question — did my Uber account get hacked?
According to Bloomberg Technology, the hacked data included names, email addresses and phone numbers of riders, but thankfully no Social Security numbers, credit card info, or trip location details. Uber's website already has a page for riders who may have been affected by the hack, but unfortunately there's no way to check to see if your data was compromised. Uber advised that there's been "no evidence of fraud or misuse" associated with the hack, although they also note they're watching the accounts and have flagged them for fraud protection in case. It also encouraged riders to keep an eye on their own accounts for unusual use, and to report a hacking if they see anything suspicious.
It’s worse if you’re a driver, though — Uber said that approximately 600,000 U.S. driver’s license details were stolen. In a statement on their website, Uber said that each driver whose information was stolen would be individually notified, and that Uber would provide said drivers with free identity theft protection and credit monitoring. The statement also offered a link where drivers can check to see if their information was compromised.
Of course, it's already been a year since the hack took place, and the potential for damage to have already been done is high. So why are users only hearing about it now?
According to Bloomberg, the company's initial response in the face of the breach was to keep quiet and pay off the unidentified hackers. Uber reportedly paid $100,000 to the data thieves to get them to delete the data and keep quiet. Possibly worse, the data was apparently relatively easy to get at. Two hackers reportedly used login credentials they got off a GitHub coding site used by Uber employees to access data stored on an Amazon Web Services account that Uber used, and from there, get at an archive of user data.
In a statement from CEO Dara Khosrowshahi on Tuesday, the company admitted the breach, saying that it "took immediate steps to secure the data and shut down further unauthorized access by the individuals," and "obtained assurances that the downloaded data had been destroyed."
In the statement, Khosrowshahi said that the company was taking steps towards better security and apologized to users for the way Uber handled the hack:
None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.
He stated that two employees who led the response to the data breach had been fired.
A spokesperson for the New York Attorney General's office told Bloomberg that they have launched an investigation into the hack, but, as The Guardian points out, this is only the cherry on the top of a terrible year of PR for Uber.
In January, there was the #DeleteUber viral trend, when the company undermined a New York City taxi driver strike in protest of Donald Trump's travel ban, and instead continued taxi service to and from New York City's JFK airport. There was also former employee Susan Fowler's allegations of sexual harassment at the company, which was published as a blog post in February. And in March, The New York Times published a report that said that Uber was using a system called "Greyball" to avoid and mislead authorities in the cities it operated in. All of it isn't even to mention the leadership shakeup in June, when former CEO Travis Kalanick resigned amid what CNN called a "leadership crisis." So, things aren't going well.
The comfort of calling a cab from your phone aside, it might be time to consider taking public transit again, at least for awhile. After all, a bus pass never accidentally gave your phone number away.