pixel_dreams - Fotolia
San Francisco-based Internet ride-sharing company Uber Inc. has revealed that personal data on tens of thousands of its drivers was stolen last year, the result of what the company says was a one-time database breach.
In a statement late last week, Uber's Managing Counsel of Data Privacy, Katherine Tassi, said that Uber first became aware of a potential database breach in mid-September 2014, and the subsequent investigation uncovered unauthorized access to an Uber database on May 13, 2014.
Tassi said that the files accessed contained both the names and driver's license numbers of Uber driver partners.
"Our investigation determined the unauthorized access impacted approximately 50,000 drivers across multiple states," said Tassi in the blog post, "which is a small percentage of current and former Uber driver partners."
However, just how small a percentage of Uber driver partners that might be is unclear. In January 2015, Uber commissioned a study that showed the company had only 160,000 active drivers at the time, 40,000 of which had been added in December 2014; nearly half of all Uber drivers become inactive after one year, either through termination or quitting.
Tassi noted that Uber has not yet learned of any misuse of the driver data, but will be offering one year of identity theft protection to the drivers whose data was stolen. Tassi also said that Uber changed the access protocols for the database, and has begun an in-depth investigation to determine who is responsible for breaching the database.
In its release, Uber said it has filed a so-called John Doe lawsuit against the unknown person responsible for the breach, and has also filed a subpoena against developer code host GitHub in an effort to obtain the IP address of anyone who accessed a specific gist post between March and September of 2014. A gist post is a place to share snippets of code, and Uber claims this post included a "unique security key" that the attacker used to access the Uber driver database.
The Uber data breach is the latest in the long line of incidents in which organizations have had their databases breached, including LinkedIn Corp., UCLA, and Monster Worldwide Inc.