Uber Database Breach Exposed Information of 50,000 Drivers, Company Confirms

Data accessed on 5&#x2F;13&#x2F;2014, uber noticed on 9&#x2F;17&#x2F;2014, and then notifies affected on 2&#x2F;27&#x2F;2015. Thankfully it was <i>only</i> names and plate numbers, but still...<p>All I see from uber is bad publicity and poor management decisions. I wonder what it&#x27;s like to work there from an insiders perspective, cause from the outside it doesn&#x27;t look good.

I accidentally stumbled upon employee admin screens, all by changing a key, isAdmin = true. <a href="https://news.ycombinator.com/item?id=9121004" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9121004</a>

Under California law, data breach notifications &quot;shall be made in the most expedient time possible and without unreasonable delay&quot;.<p>Civil Code § 1798.82(a): <a href="http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&amp;sectionNum=1798.82" rel="nofollow">http:&#x2F;&#x2F;leginfo.legislature.ca.gov&#x2F;faces&#x2F;codes_displaySection...</a><p>I find it hard to square that requirement with Uber waiting 5 months from when it found out.

Congress needs to stop pissing in the wind and make a federal law on breach disclosure. Self evidently companies won&#x27;t universally do this on their own, and state specific law makes compliance more difficult and expensive.

As much as Uber messed up here and there was a security breach, comparable information is publicly available. For example, the TLC in NYC provides this:<p><a href="http://www.nyc.gov/html/tlc/downloads/excel/current_medallion_drivers.xls" rel="nofollow">http:&#x2F;&#x2F;www.nyc.gov&#x2F;html&#x2F;tlc&#x2F;downloads&#x2F;excel&#x2F;current_medallio...</a><p>This is a spreadsheet containing all the taxi drivers in NYC with their names, license numbers, and license expiration dates. Given that the only information leaked (according to Uber) were names and license numbers, that really isn&#x27;t much beyond what might otherwise be available publicly.

The TechCrunch article says &quot;license plate numbers&quot; but the Uber post[0] says &quot;driver’s license number&quot;.<p>[0] <a href="http://blog.uber.com/2-27-15" rel="nofollow">http:&#x2F;&#x2F;blog.uber.com&#x2F;2-27-15</a>

&quot;cowboys get stung by being cowboys&quot;<p>the number of f*cks i can give for the company is so low. just feel sorry for all the drivers with the leaked information...

Uber really needs to have a public data retention policy stating that they anonymize or delete all data older than a couple weeks. I&#x27;m just waiting for them to be hacked and have to reveal that people&#x27;s trip data for years has been released.

&gt; Uber says it will offer a free one-year membership of Experian’s ProtectMyID Alert<p>My ID has been breached twice in other, unrelated incidents. Each time these ID protection companies want to know my SS# and all sorts of other stuff. My heart skips a beat imagining them scraping the web for my SS# and CC# in an otherwise well intentioned effort. I&#x27;ve refused their services and insist they only provide the insurance policy associated with this.

This incident - amongst many others - only shows that most companies don&#x27;t give a rat&#x27;s ass about our data or privacy.<p>They are happy enough if their systems actually work and run. That&#x27;s enough for them.<p>This incident won&#x27;t cost Uber anything. It won&#x27;t matter to them. A few appologies here and there and that will be the end of it.<p>Maybe, maybe there is some trivial fine to pay, but that will be a rounding error on their balance sheet.

I see a lot of comments about security, but would be happy to bet this was simple social engineering and &quot;human hacking&quot;. It&#x27;s sobering to see large-ish companies that give full read access (and sometimes write) of customer and financial data to interns, fresh grads and new contractors for expediency. Young people are cheap. $500 is a new computer or weeks of food to an indebted student.<p>Management usually doesn&#x27;t care, revenue and convenience trump security; until of course something bad happens, which is why older institutions have draconian access standards, meetings to discuss who has the right to know about the meeting to determine the access list management program (true story) and so on.<p>Nothing in the press release hints at an actual attack. &quot;An unauthorized third party accessed our database, and we immediately changed the password&quot; sounds like they realized one of their competitors hired an intern to get them a login.

Last year Uber was using Backbone and the JSON returned to the client included ALL information about the drivers you have used for trips including home address, phone number, etc. I wonder if this has something to do with that?

And depending on the state, you can find out the driver&#x27;s birthday, or even if their real name is different from what is listed on their profile. The site at [0] shows how many states use soundex coding and modulus arithmetic to encode driver&#x27;s license numbers with PII.<p>I&#x27;d be keen to see if every driver&#x27;s info aligns with the license number (for those states that use encoding systems that embed PII into the number).<p>[0] <a href="http://www.highprogrammer.com/alan/numbers/index.html" rel="nofollow">http:&#x2F;&#x2F;www.highprogrammer.com&#x2F;alan&#x2F;numbers&#x2F;index.html</a>

I find it unlikely they have a database explicitly for driver names&#x2F;license plates. Unless it was some flat-file dump compromised. I&#x27;m curious how much data was really obtained. If only 50k were truly stolen, it could be a shard too. The lack of technical details is sketchy to me

Why does sec get breached? Marketing wants easy access to all data, that&#x27;s it. Big Data &#x2F; deep learning wants easy access, lots of data is in transit. Security is not convenient for operations, therefor companies have sec on paper and audits and stuff but no real sec.

The free one-year membership of Experian’s® ProtectMyID® Alert is genius, its giving away something that costs them nothing (presumably Experian are using this as a marketing opportunity) as if it&#x27;s a real step in the right direction to make up for the data leak.

Here&#x27;s a sample of the notification that went to affected &quot;driver partners&quot;: <a href="http://oag.ca.gov/ecrime/databreach/reports/sb24-48540" rel="nofollow">http:&#x2F;&#x2F;oag.ca.gov&#x2F;ecrime&#x2F;databreach&#x2F;reports&#x2F;sb24-48540</a>

And apparently Uber has filed suit against github: <a href="http://www.theregister.co.uk/2015/02/28/uber_subpoenas_github_for_hacker_details/" rel="nofollow">http:&#x2F;&#x2F;www.theregister.co.uk&#x2F;2015&#x2F;02&#x2F;28&#x2F;uber_subpoenas_githu...</a>

I work in info sec, and in one of the &quot;Who&#x27;s Hiring&quot; posts a few months ago (do we still do those? I haven&#x27;t seen one in a while) I asked &quot;why are startups never hiring security guys?&quot;, because I never see a security engineer position open in those topics. I never got a response. To me that indicates the response is &quot;we don&#x27;t&quot;.<p>Listen, guys. I don&#x27;t care how small you are. If you are handling PII or credit card data or anything that, if leaked, would harm your business or your customers, <i>you need a security guy</i>. Not a programmer who knows some security stuff. Not a manager who checks off the online PCI self-assessment. Not &quot;we outsource to an MSSP&quot;. At least one security guy, full time. Make sure that everything you do is run past that person. If you&#x27;re so busy that you can&#x27;t run everything past that person, hire another.<p>It&#x27;s not a joke. Stop fucking ruining people&#x27;s lives. It&#x27;s 2015, four years past &quot;the year of the breach&quot; [1]. Get with the program. It&#x27;s not okay to have a breach. It&#x27;s not. It doesn&#x27;t matter how much money you saved from not having a security guy or the tools they need. Get someone who knows what they&#x27;re talking about and <i>listen to them</i>.<p>[1] <a href="http://news.softpedia.com/news/IBM-2011-is-The-Year-of-the-Security-Breach-224465.shtml" rel="nofollow">http:&#x2F;&#x2F;news.softpedia.com&#x2F;news&#x2F;IBM-2011-is-The-Year-of-the-S...</a>

Is this a signal that we should expect another large round of funding for Uber?

I hope the authorities got hold of this data to check which drivers aren&#x27;t paying taxes.

No info as to <i>how</i> this was exposed. Were they storing data as plain text?

Why is data lost all the time?<p>Because lists of data exist.<p>Why do they exist?<p>Because everyone is using Excel.

the amazing thing i found uber is after all the gaffe, privacy leak and maybe more. it still grows in such a speed. it surely means something big

Is this what a 40 billion dollar startup looks like?

On an unrelated note - does anyone want to be a co-founder of an uber competitior?<p>I got 50k drivers ready to drive for us. :P

Good to get this news out there on a Friday afternoon.

Between this breach, and the impending classification as a cab company by more and more major cities. I think that we can consider Uber to be either the walking dead or something very close to it at this point.