Uber’s Driver Data Breach Hidden For Five Months

Uber announced last week (Feb. 27) that the data of roughly 50,000 drivers may have been impacted in a security breach, but the car-hailing service company failed to report the information to drivers for five months after learning of the incident.

In a blog post on Uber’s website written by Katherine Tassi, Uber’s managing counsel of data privacy, she shared details of the breach. Tassi said Uber’s information database may have been compromised on May 13, 2014, by a third-party source, but was not discovered by the company until Sept. 17, 2014. She indicated Uber “immediately changed the access protocols for the database and began an in-depth investigation,” which is how the company learned that 50,000 driver may have been impacted by the breach. Still, Uber did not notify its drivers until recently. The files that were accessed contained the name and driver’s license numbers of some of the drivers, Tassi said.

All drivers have been notified, she said, but she noted that there have been no reports of the information being used for fraudulent purposes. Uber is also providing a year membership to Experian’s ProtectMyID Alert.

“To date, we have not received any reports of actual misuse of any information as a result of this incident, but we are notifying impacted drivers and recommend these individuals monitor their credit reports for fraudulent transactions or accounts,” Tassi wrote in the post. “We have also filed what is referred to as a ‘John Doe’ lawsuit so that we are able to gather information that may lead to confirmation of the identity of the third party.”

But according to some data breach experts, Uber’s failure to notify its drivers within two months may been longer than what state guidelines dictate. According to a report by The Wall Street Journal, California (Uber’s home state where 20,000 drivers were impacted) requires companies to tell impacted parties “in the most expedient time possible and without unreasonable delay.” The report noted that most state laws have 60 days as a guideline, but the restrictions are often vague. An Uber spokeswoman told WSJ that the investigation is ongoing and drivers were notified as the law requires.

“I usually expect it’s no more than 60 days before you start notifying people,” Brian Finch, a cybersecurity and data-breach expert at law firm Pillsbury Winthrop Shaw Pittman in Washington, D.C., told The Wall Street Journal. “Unless they were cooperating with law enforcement, which is a possibility, it would seem to be an unusual delay.”