If you had an Uber account in October 2016, then you are probably among the 2.7 million users in the UK to have had personal information stolen at that time

Uber logoI’m basing that “probably” on the fact that the Independent says that there are CURRENTLY 3 million Uber users in the UK.

From what I have read, the “only” information stolen was users’ names, addresses and mobile phone numbers. I haven’t seen anything that suggests that credit card information was stolen. I’m a bit surprised (and sceptical) about this as I’m sure I had to give all of that to Uber when I (very briefly!) had an account with them in the summer of this year. Uber, themselves, say that credit card information was not stolen, but you probably won’t be any more reassured by that than I was. Uber’s new CEO said on this subject:

“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.”

As we all know, though, absence of evidence is not the same as evidence of absence. You can read all of Dara Khosrowshahi’s statement on Uber’s 2016 Data Security Incident by clicking here.

If you had an Uber account last year and want to check whether you’ve had information stolen then I suggest you check with “Have I been pwned?“.

Uber app on an iPhoneEven if no financial information, or information about specific Uber transactions, were stolen, the theft of names and email addresses can make other scams and crimes more likely against those affected. In particular, the combination of username and password stolen from Uber is likely to be tried in lots of other places online. You know what’s coming next – do not use the same password for more than one account. If “have I been pwned?” suggests your email address has been caught up in ANY data breaches (including the Uber one) then I really do recommend that you knuckle down to the chore of changing your passwords for all sensitive accounts and make the password unique to each account.

I suspect I’m banging my head against a brick wall, here, just as I suspect the same when haranguing my IT support clients about making data backups. However, I’ve seen enough grief and problems caused that I think it’s worth persevering with these issues.

Cabbie against Uber

Well, here’s one person who hopes Uber will lose their appeal

What really hit the headlines about this breach wasn’t the fact that data had been stolen. It wasn’t even the fact that Uber had failed to tell its users of the breach. It was the fact that they had paid the hackers $100,000 to keep the breach quiet.

Surely even the most hardened “free enterprise supporter” would agree that this is indefensible. Not exactly the kind of thing that Uber want to come to light at the moment, with Transport for London having already concluded that “Uber London Limited is not fit and proper to hold a private hire operator licence”. (source: TfL). Although Uber’s licence to operate in London has now expired, they will be allowed to continue to operate until the result of legal appeals is announced. This could take a year, but hearings could start as soon as this month (December 2017).

,

Has your email address (and, possibly, password) been caught up in a data breach?

Hunched Hoodie

A ne’er-do-well

If, like me, you have never heard of the word “pwned”, then I am pleased to elucidate by quoting Wikipaedia’s definition:

Pwn is a leetspeak slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival, used primarily in the Internet-based video game culture to taunt an opponent who has just been soundly defeated (e.g., “You just got pwned!”).

Yes, I know, “leetspeak” isn’t a proper word either. If you care enough, you can check it here – https://en.wikipedia.org/wiki/Leet.

The important point, though, is that the website https://haveibeenpwned.com/ performs a valuable (free) service in telling you if your email address has been involved in a data breach. You can even ask them to send you a free email advising you if it should happen in the future.

What do we mean by “…involved in a data breach” and why is it serious?

Suppose some ne’er-do-well hacks into a website and manages to steal a list of usernames and passwords of people who have registered with that site. That is a data breach.

Now let’s suppose that the website www.nasaltrimmers.com suffers such a breach. You hear about it on the 6 o’clock news and you think to yourself “hmm, didn’t I register with them last year when I had a sudden outbreak of nasal hair?” You might be tempted to shrug it off, thinking “how bad could it possibly be?”

Well, if you are one of the countless people who have ever used the same email address (as a username) and the same password on several different websites, then it could be very serious indeed.

Key

Would you want one single key to fit every lock you have?

Computer hackers do realise that there’s a huge number of people who only use one email address and that that email address is used as a username on countless websites. Moreover, they also know people re-use the same password. So, the danger doesn’t lie in them knowing that you bought the super, high-speed, high-power nasal trimmer. Rather, the danger lies in them trying that same combination of username and password on Amazon, LinkedIn, Facebook, Waitrose, Ocado…………

This is why you MUST NOT re-use passwords.

Have I Been Pwned?So, the website https://haveibeenpwned.com/ kindly lets you know whether any of the major data breaches in the past have exposed your email address and also lets you know – free – if you get caught up in any new data breaches. I strongly recommend that you take just a couple of minutes out of your life to visit the site, click on the “notify me” link at the top of the page, and risk being mildly irritated by having to prove that you are not a robot. After that, you can forget it. You just need to consider whether there’s any action you need to take if you get an email from them some time in the future telling you that somewhere you registered that email address has been hacked into.

Health Warning: I don’t think they claim to know about EVERY data breach. They are certainly not claiming that you’ve never been involved in a data breach if they don’t know about it. Nevertheless, it’s a simple, free way of improving your online security.

If you’re interested in seeing some of the biggest data breaches of the past, have a look at the bubble chart here.

© 2011-2017 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha