More than half of all Uber riders and drivers in the U.K. were impacted by the ride-sharing company's data breach that was revealed last week.
The Information Commissioners Office (ICO), the UK's independent authority created to uphold information rights, said Uber reported on 29 November that 2.7 million of the approximate five million active riders and 50,000 drivers had their names, mobile phone numbers and email addresses compromised in the breach.
The ICO does not believe the information exposed by itself poses a direct threat to its owners, but noted it could be used with other online scams.
This notification follows the revelation that for more than a year Uber not only hid a massive hack that resulted in cyber-thieves pilfering the personal information of 57 million customers and drivers, but paid off the criminals to the tune of £75,000 to delete the stolen information.
Hiwot Mendahun, cyber-resilience expert at email and data security firm Mimecast, commented: “The information leaked by Uber could easily be used for impersonation attacks. By not warning everyone sooner, Uber has increased the risk for customers and drivers who may have already fallen prey to these types of attacks. Those affected now need to be extra vigilant against suspicious emails, text message or phone calls”.
Christopher Day, chief cyber-security officer at Cyxtera shared his thoughts with SC Media UK on the issue: “Paying criminals to delete stolen data and failing to notify victims is disturbing on multiple levels. At a minimum, it flies in the face of ethics and transparency. It emboldens attackers and keeps the cyber-security community from understanding techniques that could help other organisations prevent a similar attack. From a legal perspective, Uber failed to properly notify victims. This will inevitably cost the company dearly in terms of penalties and lawsuits. In fact, UK regulators are digging in already to understand the scope; which could trigger GDPR-related fines. The New York State Attorney General's office is also investigating the event”.
Matt Walmsley, EMEA Director at Vectra, commented: “Time and time again we see that all defences are imperfect. The onus needs to be on understanding an organisation's cyber-risk posture and cyber-readiness. Not only in the abstract, but the real-time threat level and any in-progress attacks. We're now at a time where artificial intelligence needs to be introduced to identify and respond to threats automatically and in real-time, a task that humans alone are simply incapable of performing at adequate scale and speed”.