Were you caught in the Uber Hack?

If you had an Uber account in October 2016, then you are probably among the 2.7 million users in the UK to have had personal information stolen at that time

Uber logoI’m basing that “probably” on the fact that the Independent says that there are CURRENTLY 3 million Uber users in the UK.

From what I have read, the “only” information stolen was users’ names, addresses and mobile phone numbers. I haven’t seen anything that suggests that credit card information was stolen. I’m a bit surprised (and sceptical) about this as I’m sure I had to give all of that to Uber when I (very briefly!) had an account with them in the summer of this year. Uber, themselves, say that credit card information was not stolen, but you probably won’t be any more reassured by that than I was. Uber’s new CEO said on this subject:

“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.”

As we all know, though, absence of evidence is not the same as evidence of absence. You can read all of Dara Khosrowshahi’s statement on Uber’s 2016 Data Security Incident by clicking here.

If you had an Uber account last year and want to check whether you’ve had information stolen then I suggest you check with “Have I been pwned?“.

Uber app on an iPhoneEven if no financial information, or information about specific Uber transactions, were stolen, the theft of names and email addresses can make other scams and crimes more likely against those affected. In particular, the combination of username and password stolen from Uber is likely to be tried in lots of other places online. You know what’s coming next – do not use the same password for more than one account. If “have I been pwned?” suggests your email address has been caught up in ANY data breaches (including the Uber one) then I really do recommend that you knuckle down to the chore of changing your passwords for all sensitive accounts and make the password unique to each account.

I suspect I’m banging my head against a brick wall, here, just as I suspect the same when haranguing my IT support clients about making data backups. However, I’ve seen enough grief and problems caused that I think it’s worth persevering with these issues.

Cabbie against Uber
Well, here’s one person who hopes Uber will lose their appeal
What really hit the headlines about this breach wasn’t the fact that data had been stolen. It wasn’t even the fact that Uber had failed to tell its users of the breach. It was the fact that they had paid the hackers $100,000 to keep the breach quiet.

Surely even the most hardened “free enterprise supporter” would agree that this is indefensible. Not exactly the kind of thing that Uber want to come to light at the moment, with Transport for London having already concluded that “Uber London Limited is not fit and proper to hold a private hire operator licence”. (source: TfL). Although Uber’s licence to operate in London has now expired, they will be allowed to continue to operate until the result of legal appeals is announced. This could take a year, but hearings could start as soon as this month (December 2017).


(Last updated 11/12/2017)