/ Technology

Uber hack: does your data need better protection?


Uber is the latest company to reveal a hack that’s affected 57 million customers and 600,000 drivers. We think it’s time you had better routes to redress when your data is compromised – do you agree?

It’s been reported today that Uber’s breach, which happened in 2016, was concealed by the global transportation giant, who paid the hackers to delete the data.

A spokesperson for Uber told us: ‘The compromised data included the names and driver’s license numbers of around 600,000 drivers in the United States, and some personal information of 57 million Uber users around the world, including names, email addresses and mobile phone numbers.’

They added: ‘At the time of the incident, immediate steps were taken by Uber to secure the data and obtain assurances that the downloaded data had been destroyed.

‘The incident did not breach Uber’s corporate systems or infrastructure, and outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth were downloaded.’

Data breaches

While the Information Commissioner’s Office has warned Uber that it faces ‘higher fines’ for concealing the breach, an enormous number of people have been affected by it. In our view, not only does your data need better protection, but you also need better avenues for redress when your data is misused.

In a joint letter to the Digital Minister, Matt Hancock MP, Which?, Age UK, Privacy International and the Open Rights Group have called on the government to make it easier to seek redress for data breaches.

We believe the government should amend the Data Protection Bill, which is currently going through Parliament, to allow independent bodies to take collective redress on behalf of customers when a company has failed to take sufficient action following a data breach.

Collective redress

Data breaches, such as Uber’s, are becoming more common and yet the legal protections for consumers are still lagging behind.

As it stands the law is clear: should your data be compromised you have the right to redress from the company.

Your first step for actually doing so is to contact the company to find out what it is offering. If the company won’t provide you with redress, or what it has offered isn’t good enough, the only other option is to take the company to court yourself. This means a potentially lengthy and costly legal process.

Redress isn’t always financial compensation, in many cases, this could be additional security credit checks or a monitoring service.

We think the best way to ensure that adequate redress is sought for consumers’ who’ve been party to a significant data breach is to allow independent organisations acting in the public interest to take action collectively on behalf of all those who have been affected.

A collective regime would improve processes, cut legal costs and court time, allow companies to address all claims at once and ultimately ensure that data breach victims get appropriate redress for misuse of their data.

Action on redress

Uber’s data breach – and the fact that it hid it – will worry both its customers and drivers. We think it’s critical that the company does all that it can to ensure affected people get clear information about what’s happened.

In the meantime, we’ll be continuing to make the case for collective redress. If you have suffered a data breach and your information was lost then share your story with us and help us make the case for collective redress.

Share your experience


Update: 29 November 2017

Uber has revealed that 2.7 million UK users have been affected by the data breach. The hackers accessed the names, email addresses and mobile numbers of passengers and drivers.

Our managing director of home products and services, Alex Neil, said:

‘Uber’s data breach – and the fact that​ it was hidden – will worry​ UK​ customers and drivers alike. It is critical that the company does all that it can to ensure affected people get clear information about what has happened.

‘Data breaches are becoming more and more common and yet the protections for consumers are lagging behind. The UK Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of affected customers when a company has failed to take sufficient action following a data breach.’

Are you an Uber customer? Are you concerned that your data has been compromised? Do you think victims of data breaches should have easier routes to redress?

Ian Galloway says:
22 November 2017

Extraordinary that a big company like this believes that the data have been secured because they paid the ransom! How naive!

Uber hasn’t taken customer safety seriously enough and doesn’t protect their driver and customer private information properly – ban this company from the UK as Denmark has done!

[Sorry, Andrea – your comment has been edited to align with commenting rules. Please be mindful of comments which could be considered libellous or defamatory. Take a look at our commenting rules for further guidance. Thanks, mods]

I agree – ban this company!!

Not sure Uber represents the worst; Google is still at it:


This comment was removed at the request of the user

The impact of data breaches can continue for many years. An example is the breach at Talk Talk. People still feel the repercussions and are receiving phone calls at all times of the day quoting Talk Talk as the source.

This comment was removed at the request of the user

Loreto Mallon says:
24 November 2017

This company does not care about driver’s rights so why would anybody be surprised that when they got hacked they dealt with the situation in this way?

Like so many big companies, they think that they can deal with things whatever way suits them best.

[Sorry, your comment has been edited to align with our community guidelines
https://conversation.which.co.uk/commenting-guidelines/. Thanks, mods.]

Very few people take security seriously They think it will not happen to them Many think all modern TECH is 100% secure will not stop working or fail at all Time after time it proved how wrong they are everyone from top government to you and me are in danger of being “hacked etc. “and losing every penny you have NOTHING a on any computed is 100% secure just remember that

This comment was removed at the request of the user

This comment was removed at the request of the user

Uber has autonomous vehicles in Pittsburgh. How secure are their cars from hacking?

This comment was removed at the request of the user

I cannot think of a reason why anyone would want to hack a Uber cab. Is there any financial advantage? Is it possible to discover who the passenger is? I can understand why the police or security services might wish to intercept a vehicle, but who else might have a reason to do so? I should be grateful for any enlightenment.

This comment was removed at the request of the user

Some people cannot be told anything at all they will not listen or take any notice of any advice from anywhere or anybody Most do not know NO technology is not 100% secure they believe it cannot breakdown or fail in any way They trust it with everything but it should not be really trusted at all You must be aware that it can and does fail or go wrong sometimes

I’ve always believed using long and complex passwords (and different ones) for most services is a waste of both time and effort. At the Black Hat Europe convention last week a paper submitted by IOActive’s Fernando Arnaboldi revealed “bugs in the major programming languages JavaScript, Perl, PHP, Python and Ruby, and in all cases, he said the vulnerabilities could expose software written using those languages.

To run his test, Arnaboldi created a differential fuzzer, XDiFF, which compares behaviour of different inputs, versions, implementations and operating system implementations of the same piece of software.

The kinds of bugs revealed in the tests included undocumented features in Python, which provided OS-level command execution; information disclosure in NodeJS via error messages, a JRuby function that loads remote code for execution (RCE), and an RCE in PHP using the names of constants.”

It’s fairly technical but for most the message is that all software is bug-riddled, even at the lowest level, so there’s always a possibility your data will get compromised. It’s worth creating complex passwords (the easiest is a simple phrase) for important services and using only specifically created ones for your financial affairs. Otherwise, if you’ve ever ordered online, your data is already out there.