A place for all things security.

Uber releases information regarding a data breach six months later

Mar 4, 2015 // Andrew Stroup

Uber, the well known car service that’s been disrupting the livery industry, announced last Friday, February 27th, suffered a data breach back in May 13th, 2014.

The breach affected 50,000 drivers across the United States, a small percentage of the Uber driver base according to Uber’s Managing Counsel, exposing the names and drivers licenses.

We discovered in September that information allowing someone to access the database had been available without intended access restrictions. We immediately ensured that they database was no longer accessible using that information and have taken additional safety measures to protect your information.</p> Based on the statement from Uber, it seems as if their database was accessed by someone obtained the login credentials without requiring some type of brute force attack. This implies the root source of the breach was likely from one of their own employees sharing or poorly managing their login credentials to the servers.

Uber is rolling out the standard one year of credit monitoring for the affected drivers. Uber also indicated they are taking measures to collect information for prosecution purposes if the attacker is identified.

This type of security threat is a very common risk to every company who operates in the cloud. The bottom line is that no company can fully protect itself from attacks, but implementing a strong security practice with supporting products (like our team password manager, CommonKey) is the best approach.