Uber’s Driver Data Breach Hidden For Five Months

Uber announced last week (Feb. 27) that the data of roughly 50,000 drivers may have been impacted in a security breach, but the car-hailing service company failed to report the information to drivers for five months after learning of the incident.

In a blog post on Uber’s website written by Katherine Tassi, Uber’s managing counsel of data privacy, she shared details of the breach. Tassi said Uber’s information database may have been compromised on May 13, 2014, by a third-party source, but was not discovered by the company until Sept. 17, 2014. She indicated Uber “immediately changed the access protocols for the database and began an in-depth investigation,” which is how the company learned that 50,000 driver may have been impacted by the breach. Still, Uber did not notify its drivers until recently. The files that were accessed contained the name and driver’s license numbers of some of the drivers, Tassi said.

All drivers have been notified, she said, but she noted that there have been no reports of the information being used for fraudulent purposes. Uber is also providing a year membership to Experian’s ProtectMyID Alert.

“To date, we have not received any reports of actual misuse of any information as a result of this incident, but we are notifying impacted drivers and recommend these individuals monitor their credit reports for fraudulent transactions or accounts,” Tassi wrote in the post. “We have also filed what is referred to as a ‘John Doe’ lawsuit so that we are able to gather information that may lead to confirmation of the identity of the third party.”

But according to some data breach experts, Uber’s failure to notify its drivers within two months may been longer than what state guidelines dictate. According to a report by The Wall Street Journal, California (Uber’s home state where 20,000 drivers were impacted) requires companies to tell impacted parties “in the most expedient time possible and without unreasonable delay.” The report noted that most state laws have 60 days as a guideline, but the restrictions are often vague. An Uber spokeswoman told WSJ that the investigation is ongoing and drivers were notified as the law requires.

"I usually expect it’s no more than 60 days before you start notifying people,” Brian Finch, a cybersecurity and data-breach expert at law firm Pillsbury Winthrop Shaw Pittman in Washington, D.C., told The Wall Street Journal. “Unless they were cooperating with law enforcement, which is a possibility, it would seem to be an unusual delay."


Latest Insights: 

The Payments 2022 Study: Building A High-Performance Payments Team For Fraud Detection, a PYMNTS collaboration with Stripe, examines how digital platforms of all sectors and sizes plan to develop their anti-fraud teams as part of their their broader growth and development strategies. Drawing from an extensive survey from approximately 250 payments heads at digital platforms in the U.S. and abroad, our study analyzes how poor anti-fraud capabilities can harm platforms’ long-term growth strategies, and how they can build high-performing teams to tackle these challenges.



To Top