Uber has suffered another data breach, with personal information of its drivers being stolen from the IT systems of law firm Genova Burns, which held the information as a result of legal work for the ride-hailing app.
Genova Burns first noticed suspicious activity in its IT systems on 31 January and hired a forensic security team to investigate, reporting its findings to law enforcement. The company changed all system passwords and promised to take “additional steps to improve security and better help protect against similar incidents in the future”. Uber said it did not know how many of its drivers had had records stolen.
In a statement, the company said it was notified in March by Genova Burns that it had suffered a security incident, which impacted “certain drivers who had completed trips in New Jersey”, and added that it had offered affected drivers “complimentary credit monitoring and identity protection services”. Genova Burns said in its letter to affected drivers that the stolen information included social security number and/or tax identification number, but that it was not aware of any misuse of the information.
The data could be used for identity theft, or sold on cybercrime forums.
This is the second such incident with a third party in recent years. Last year, after breaking into the network of software provider and Uber supplier Teqtivity, a cybercriminal calling themselves UberLeaks shared data pertaining to Uber workers on BreachForums.
No Uber customer data was touched in that breach, but information on more than 77,000 Uber and UberEats employees was leaked. In 2016, 57 million customer and driver records were stolen, leading to firings and lawsuits after Uber tried to cover up the theft by passing off a ransom payment to recover the data as a bug bounty award. Uber suffered another breach in September 2022, when a teenager affiliated with the Lapsus$ gang accessed Uber’s internal systems, including the corporation’s G Suite account, and downloaded internal Slack messages and a tool used by its finance department to manage “some” invoices.
The news is another blow to Uber’s reputation for data security, which has been severely damaged by previous incidents. These included the theft of personal data belonging to 57 million customers and drivers, for which the company was fined $148m by the US Federal Trade Commission.
The company was also fined €600,000 ($695,000) by the French Data Protection Authority in 2018 after 1.4 million French customers’ data was stolen. It also paid $100,000 to the hacker who stole data in the 2016 theft, and was criticised for failing to notify affected customers in a timely manner.
Despite this history, the company has claimed that it is committed to improving its security measures, including launching a bug bounty programme and a system of two-factor authentication.
It remains to be seen whether these measures will be sufficient to reassure customers and drivers.
