Ride-sharing company Uber, which has already battled a database compromise and hackers selling stolen user accounts this year, announced over the weekend that it will bulk up its security division.
Uber will quadruple the number of employees that currently oversee security at the San Francisco-based company and that by the year’s end, the department will boast more than 100 employees, Joe Sullivan, the company’s Chief Security Officer, told the Financial Times on Sunday.
The company in April hired Sullivan, a former cybercrime prosecutor who worked doing security for five years at Facebook and seven years at eBay and PayPal.
Sullivan told the paper one of the biggest challenges the multibillion-dollar company faces is moderating who controls users’ sensitive information, why and when.
“Every company is a data company now, no one can be unsophisticated. The challenge is half the company needs access to customer data some of the time — it is not just customer support, it is marketing, engineers as they iterate, communications when they need to figure out what happened in an incident,” Sullivan told the Financial Times.
Sullivan informed the paper the company was already working on controlling who has access to what information and for how long before it even hired him. Still, it’s likely the company, recently valued at $50 billion, will devote part of the $1 billion it secured in a round of funding two weeks ago to better keeping tabs on the security of its customers.
The news comes just days after reports surfaced that stolen Uber accounts were being sold for as little as 40 cents on the dark web.
Motherboard reported in March that purportedly authentic accounts, complete with credit card and PayPal information attached, were being sold on AlphaBay, a darknet market accessible via the Tor network. Now Motherboard claims some merchants on the site are selling accounts for as little as 40 and 50 cents apiece. In a post on Friday, the site claims it noticed six different vendors hawking Uber accounts.
The company claimed in June that it was working on developing better security measures for users and detecting fraudulent activity but wouldn’t disclose exactly what those were.
When reached Monday the company warned that attempting to fraudulently access or sell accounts is illegal, adding that it had notified the authorities about the report.
“This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services,” said an Uber spokesperson.
Protests and controversy aside, Uber has had a bit of a rocky year on the security front. In addition to stolen accounts making the rounds online, the company announced in March that attackers had managed to infiltrate its systems in 2014 and compromised a database containing 50,000 current and former driver partner names and license numbers. The company claimed at the time that it had revoked access protocols for the database and that it hadn’t received any reports of misuse.