/ Technology

Uber hack: does your data need better protection?


Uber is the latest company to reveal a hack that’s affected 57 million customers and 600,000 drivers. We think it’s time you had better routes to redress when your data is compromised – do you agree?

It’s been reported today that Uber’s breach, which happened in 2016, was concealed by the global transportation giant, who paid the hackers to delete the data.

A spokesperson for Uber told us: ‘The compromised data included the names and driver’s license numbers of around 600,000 drivers in the United States, and some personal information of 57 million Uber users around the world, including names, email addresses and mobile phone numbers.’

They added: ‘At the time of the incident, immediate steps were taken by Uber to secure the data and obtain assurances that the downloaded data had been destroyed.

‘The incident did not breach Uber’s corporate systems or infrastructure, and outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth were downloaded.’

Data breaches

While the Information Commissioner’s Office has warned Uber that it faces ‘higher fines’ for concealing the breach, an enormous number of people have been affected by it. In our view, not only does your data need better protection, but you also need better avenues for redress when your data is misused.

In a joint letter to the Digital Minister, Matt Hancock MP, Which?, Age UK, Privacy International and the Open Rights Group have called on the government to make it easier to seek redress for data breaches.

We believe the government should amend the Data Protection Bill, which is currently going through Parliament, to allow independent bodies to take collective redress on behalf of customers when a company has failed to take sufficient action following a data breach.

Collective redress

Data breaches, such as Uber’s, are becoming more common and yet the legal protections for consumers are still lagging behind.

As it stands the law is clear: should your data be compromised you have the right to redress from the company.

Your first step for actually doing so is to contact the company to find out what it is offering. If the company won’t provide you with redress, or what it has offered isn’t good enough, the only other option is to take the company to court yourself. This means a potentially lengthy and costly legal process.

Redress isn’t always financial compensation, in many cases, this could be additional security credit checks or a monitoring service.

We think the best way to ensure that adequate redress is sought for consumers’ who’ve been party to a significant data breach is to allow independent organisations acting in the public interest to take action collectively on behalf of all those who have been affected.

A collective regime would improve processes, cut legal costs and court time, allow companies to address all claims at once and ultimately ensure that data breach victims get appropriate redress for misuse of their data.

Action on redress

Uber’s data breach – and the fact that it hid it – will worry both its customers and drivers. We think it’s critical that the company does all that it can to ensure affected people get clear information about what’s happened.

In the meantime, we’ll be continuing to make the case for collective redress. If you have suffered a data breach and your information was lost then share your story with us and help us make the case for collective redress.

Share your experience


Update: 29 November 2017

Uber has revealed that 2.7 million UK users have been affected by the data breach. The hackers accessed the names, email addresses and mobile numbers of passengers and drivers.

Our managing director of home products and services, Alex Neil, said:

‘Uber’s data breach – and the fact that​ it was hidden – will worry​ UK​ customers and drivers alike. It is critical that the company does all that it can to ensure affected people get clear information about what has happened.

‘Data breaches are becoming more and more common and yet the protections for consumers are lagging behind. The UK Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of affected customers when a company has failed to take sufficient action following a data breach.’

Are you an Uber customer? Are you concerned that your data has been compromised? Do you think victims of data breaches should have easier routes to redress?

Ian Galloway says:
22 November 2017

Extraordinary that a big company like this believes that the data have been secured because they paid the ransom! How naive!

Uber hasn’t taken customer safety seriously enough and doesn’t protect their driver and customer private information properly – ban this company from the UK as Denmark has done!

[Sorry, Andrea – your comment has been edited to align with commenting rules. Please be mindful of comments which could be considered libellous or defamatory. Take a look at our commenting rules for further guidance. Thanks, mods]

I agree – ban this company!!

Not sure Uber represents the worst; Google is still at it:


Funnily enough as this convo came out I have just been informed that Uber payed hackers $100K to hide massive theft of 75 million accounts . For my critics again I can prove this as Bloomberg provides the information , unless you think a big prestigious company like that would lose face ? Occurring in October -2016 ,for over a year due to the pay -off who did the deal again its in the public domain -Joe Sullivan Chief Security Officer at Uber -Sullivan got fired and his deputy or as Americans say “let go ” In a press release on Bloomberg’s disclosure Khosrowshahi -new CEO said quote – its “inexcusable” . .Bloomberg reckons it will happen again .I have the full report and detailed circumstances –if required .

The impact of data breaches can continue for many years. An example is the breach at Talk Talk. People still feel the repercussions and are receiving phone calls at all times of the day quoting Talk Talk as the source.

There are two other major credit rating and data gathering agencies in the USA , from what I have been told your data is spread over those as well.

Loreto Mallon says:
24 November 2017

This company does not care about driver’s rights so why would anybody be surprised that when they got hacked they dealt with the situation in this way?

Like so many big companies, they think that they can deal with things whatever way suits them best.

[Sorry, your comment has been edited to align with our community guidelines
https://conversation.which.co.uk/commenting-guidelines/. Thanks, mods.]

Very few people take security seriously They think it will not happen to them Many think all modern TECH is 100% secure will not stop working or fail at all Time after time it proved how wrong they are everyone from top government to you and me are in danger of being “hacked etc. “and losing every penny you have NOTHING a on any computed is 100% secure just remember that

So true Bishbut . if any real “National Emergency ” happened , the lack of real practical skills of any sort will leave this society bemoaning the loss of their latest gadget rather than worrying about their actual lives. its certainly one way of reducing the world population.

I would like to “revive” this convo with a self imposed “hack ” , would those of a tender disposition please stop now . I thought I had seen and heard it all but a company is selling “intelligent condoms ( January-2018), that’s right and I hope I don’t become too “forward ” in my post as I post this for its ability to gather information . First of all your “performance ” -you know what I mean- second your size , next how long you “last ” and number of “strokes ” etc and- ye gods !! its sent to your smart-phone meaning the world has it . Can you imagine the amount of blackmail or emails from Porno companies impressed with your data , the mind boggles. Just image walking out of your house to the car and the neighbour comes out 2 doors down to -laugh at you and say -shrimp on the other hand maybe a crowd of female admirers blocking your way. Its called the iCon Smart Condom Ring -it then broadcasts it round the world and gives you world male statistics on it revolutionary and your scale in the “pecking order ” wearable tech. Adam (who else ? ) Levison the Engineer behind the digital design describes it as “beautiful ” I would call anybody wearing one just the FOOL part of beautiful also illuminates on the wearer (no comment on that ) It will be sold by a British company in January 2018 online at £60 by British Condoms . already the FBI are warning against it.

Uber has autonomous vehicles in Pittsburgh. How secure are their cars from hacking?

At the moment they are being supervised by humans in the drivers seat Alfa . They chose Pittsburgh as its home to robotics cutting edge design but this system can be hacked in two ways . One is change of control by hacking at a short distance as the FBI and others have proved or the GPS signal vital to guidance of the vehicle can be hacked , The second has proved possible in Pokemon Go where the GPS signal has been hacked with GPS enabled smart-phones . A hacker used a low cost Hack RF-software defined radio with RX designed software while cheating on a game he found that the Hack RF could jam the GPS signal using a GPS-SDR-Sim . I will stop there as if I post too much technical info somebody could get access to the full methods used as reading down it shows exactly how to do it with a coloured photo included and the website to BUY the device. I clicked on the website and got a full detailed technical explanation from the hacker himself and he can spoof the GPS signal. Sorry I got it on a non-standard search engine and I don’t want to post the URL. But if anybody wants to post and tell me its 100 % UN-hackable I am willing to listen ?

I cannot think of a reason why anyone would want to hack a Uber cab. Is there any financial advantage? Is it possible to discover who the passenger is? I can understand why the police or security services might wish to intercept a vehicle, but who else might have a reason to do so? I should be grateful for any enlightenment.

Just got an email telling me -4.5 GB of data is being sold on the dark web equating to -1.4 Billion credentials discovered by 4iQ team so if you are on LinkedIn – Twitter-MySpace -Tumbir-Dropbox-Zomato-Bitcoin they have your name /password-and every other piece of data on you associated with those websites . All available in clear text for anybody to download . This includes the breach in March of 21million -Gmail and Yahoo accounts and people wonder why callers know so much about them and no it hasn’t been “fixed “. All posters etc using those services should change their passwords right away. Had a look at some and passwords included -123456- 123-123- password etc .

Some people cannot be told anything at all they will not listen or take any notice of any advice from anywhere or anybody Most do not know NO technology is not 100% secure they believe it cannot breakdown or fail in any way They trust it with everything but it should not be really trusted at all You must be aware that it can and does fail or go wrong sometimes

I’ve always believed using long and complex passwords (and different ones) for most services is a waste of both time and effort. At the Black Hat Europe convention last week a paper submitted by IOActive’s Fernando Arnaboldi revealed “bugs in the major programming languages JavaScript, Perl, PHP, Python and Ruby, and in all cases, he said the vulnerabilities could expose software written using those languages.

To run his test, Arnaboldi created a differential fuzzer, XDiFF, which compares behaviour of different inputs, versions, implementations and operating system implementations of the same piece of software.

The kinds of bugs revealed in the tests included undocumented features in Python, which provided OS-level command execution; information disclosure in NodeJS via error messages, a JRuby function that loads remote code for execution (RCE), and an RCE in PHP using the names of constants.”

It’s fairly technical but for most the message is that all software is bug-riddled, even at the lowest level, so there’s always a possibility your data will get compromised. It’s worth creating complex passwords (the easiest is a simple phrase) for important services and using only specifically created ones for your financial affairs. Otherwise, if you’ve ever ordered online, your data is already out there.