The enormously popular alternative taxi service, Uber, admitted late Friday that an unauthorized third party gained access to the company’s database, stealing driver but not customer information in the process.
In a statement, Uber claims there was a “one-time access” of its databases, spilling the names and license numbers of some 50,ooo “driver partners” in various U.S. states. While that figure may seem large, the company claims it represents just a small percentage of current and former drivers. They say the breach occurred on May 14, 2014 but went undiscovered until Sept. 17, 2014.
“Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access,” said Katherine Tassi, Uber’s managing counsel of data privacy. “We are notifying impacted drivers, but we have not received any reports of actual misuse of information as a result of this incident.”
In addition to hardening its access protocols following the security incident, the company is also filing what it calls a “John Doe lawsuit” in order to gather more information and potentially confirm the identity of the third party that breached Uber’s systems.
Taxi service @Uber announces #databreach of driver names and licensesTweet
As is customary in data breaches, Uber is contacting the affected parties and providing a free one-year membership of Experian’s ProtectMyID Alert service.
It’s not clear how Uber determined that the breach, which went unnoticed for four months, was in fact a one-time access, nor is it clear how the company knows that no customer data was impacted. Threatpost reached out to Uber, but the company did nor respond to our request for comment before publication.