Ride-hailing company Uber disclosed that a bug in their newly unveiled Uber Partner App, designed specifically for drivers, has exposed the private information of at least 600 Uber drivers in the US. Nearly a thousand documents were exposed in the data breach. Included in the exposed information are Social Security numbers and tax certification forms, like W-9 forms. Scans of driver’s licenses have also been exposed.
Uber said that the bug was fixed within 30 minutes, after a driver brought it to the company’s attention. The breach was uncovered when an Uber driver logged into their account to check their vehicle’s registration. They then found that they could see other people’s driver’s licenses, chauffer certifications, and vehicle registration details. The company says that there is currently no evidence that Uber’s data has been used maliciously, or that any of the drivers have misused the data they accidentally gained access to.
This data breach is only the latest in the string of security leaks that Uber has had. Due to another security flaw, hackers were able to control compromised Uber accounts even after the users changed their passwords. The hackers were able to retain control of the compromised accounts because of an oversight that didn’t automatically log users out of all devices after their passwords had been changed. If an Uber user discovered their account had been hacked, they could change their passwords from their phones, but the hacker would still remain logged in to the compromised account on their device. Hackers could still remain logged into compromised accounts, even if Uber reset passwords on behalf of the hacked users. Users found this security flaw to be negligent on Uber’s part.
Furthermore, back in May, US and UK Uber users found their account details being sold on the dark web for as little as $1. Last year, a post on an account hacking forum advertised a configuration file that could be combined with an account cracking program to quickly break into online accounts. The hackers would first need to buy a data dump of log-in credentials. The computer program then goes through the stolen credentials and tries them all on a specific website, with the hopes that one of the combinations would work. In an example, a hacker took stolen credentials from a gaming website and cycled through them on Uber’s website. People who used the same log-in credentials across different websites were more likely to have their accounts compromised. Uber tried to claim that their systems were not breached, but the evidence was not in their favor.
Uber was involved in another data leak scandal, when the information of 50,000 Uber drivers was leaked. The hackers were able to access the database of drivers through a security key that was left exposed for three months on web-hosting service GitHub. Lyft, Uber’s competitor, was implicated in this data breach. Uber said they traced the IP address involved in the hack to Lyft CTO Chris Lambert. This security breach also occurred in May, but Uber did not notice until September. The company also didn’t notify registered drivers about the leak until it filed a lawsuit against GitHub.
The string of breaches at Uber shows that companies need to be serious about protecting their employees and customers from data breaches. Companies can use Promisec Endpoint Manager to provide endpoint protection, so their employees don’t accidentally leak data. PEM’s cyber threat detection and malware detection capabilities monitor networks for suspicious activity and unauthorized software. With PEM, companies can ensure that their employees aren’t the victims of a data breach, and they can protect their customers from cyber breaches as well.