pixel_dreams - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Uber database breach source of stolen driver information

Following the theft of data affecting about 50,000 of its drivers, Uber says it has filed a subpoena to obtain GitHub data that may pinpoint the source of its data breach.

San Francisco-based Internet ride-sharing company Uber Inc. has revealed that personal data on tens of thousands of its drivers was stolen last year, the result of what the company says was a one-time database breach.

In a statement late last week, Uber's Managing Counsel of Data Privacy, Katherine Tassi, said that Uber first became aware of a potential database breach in mid-September 2014, and the subsequent investigation uncovered unauthorized access to an Uber database on May 13, 2014.

Tassi said that the files accessed contained both the names and driver's license numbers of Uber driver partners.

"Our investigation determined the unauthorized access impacted approximately 50,000 drivers across multiple states," said Tassi in the blog post, "which is a small percentage of current and former Uber driver partners."

However, just how small a percentage of Uber driver partners that might be is unclear. In January 2015, Uber commissioned a study that showed the company had only 160,000 active drivers at the time, 40,000 of which had been added in December 2014; nearly half of all Uber drivers become inactive after one year, either through termination or quitting.

Tassi noted that Uber has not yet learned of any misuse of the driver data, but will be offering one year of identity theft protection to the drivers whose data was stolen. Tassi also said that Uber changed the access protocols for the database, and has begun an in-depth investigation to determine who is responsible for breaching the database.

In its release, Uber said it has filed a so-called John Doe lawsuit against the unknown person responsible for the breach, and has also filed a subpoena against developer code host GitHub in an effort to obtain the IP address of anyone who accessed a specific gist post between March and September of 2014. A gist post is a place to share snippets of code, and Uber claims this post included a "unique security key" that the attacker used to access the Uber driver database.

The Uber data breach is the latest in the long line of incidents in which organizations have had their databases breached, including LinkedIn Corp., UCLA, and Monster Worldwide Inc.

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What are the top takeaways from the Uber data breach?
My takeaways from the recent Uber data breach are that any organization or business, regardless of size, is susceptible to malware and vicious cyber attacks and that in order to keep my enterprise safe, we must stay abreast of every new threat as soon as it is known. With these takeaways, I have my IT staff go over the current security protocols and authentication procedures and ensure they are stronger than the new threat.
Carol has hit it on the head. Nobody is really safe and the process of log management and regularly updated security is the key. As I've mentioned elsewhere, security is an ever-moving target and every business needs to try and keep pace.
Three words...

Two factor authentication

If you have a mission critical system, or a system that stores a lot of sensitive data for a system, you ought to be using it.

(ironic that something similar may have happened in an episode of Elementary.)
If Uber had taken its security enforcement seriously, it would not have to wait four months in order to uncover the breach.
I think the lag in reporting is a huge issue that nobody is talking about. Even the Target, Home Depot and other breaches were kept under wraps for far longer than I think was prudent. If customers don't know their data has been stolen, they can't respond in a timely manner. This is the area I see as requiring the most oversight as we move forward.
The real question is.. why did it take Uber so long to realize the breach happened, and then notify its drivers?