A nationwide Uber data breach has put almost 50,000 Uber drivers at risk of identity theft after the transportation company admits to being aware of the cyberattack five months prior.
According to Katherine Tassi, managing counsel of data privacy with Uber, the breach likely occurred on May 13, 2014, by an unknown third party. The Uber database accessed was used to store driver names and license numbers. The stolen information has yet to result in any reports of fraud. Uber did not learn of the data breach until Sept. 17, 2014, after which the company reportedly “immediately changed the access protocols for the database and began an in-depth investigation.”
“To date, we have not received any reports of actual misuse of any information as a result of this incident, but we are notifying impacted drivers and recommend these individuals monitor their credit reports for fraudulent transactions or accounts,” Tassi said in the data breach announcement. “We have also filed what is referred to as a ‘John Doe’ lawsuit so that we are able to gather information that may lead to confirmation of the identity of the third party.”
Despite Uber’s investigation, the company opted not to warn its drivers of the data breach until recently – nearly five months after Uber became aware of the cyberattack. The Wall Street Journal reported that in California, where almost 20,000 of the 50,000 affected Uber drivers are located, state law requires that companies must make affected parties aware of the data breach “in the most expedient time possible and without unreasonable delay.”
“I usually expect it’s no more than 60 days before you start notifying people,” Brian Finch, a cybersecurity expert with Pillsbury Winthrop Shaw Pittman in Washington, D.C., told The Wall Street Journal. “Unless they were cooperating with law enforcement, which is a possibility, it would seem to be an unusual delay.”
In response to the data breach, Uber is now offering its hacked drivers a free year subscription to Experian’s ProtectMyID Alert.