18 Nov Uber investigated for allowing customer bank accounts to be hacked
Uber concealed a hack that affected 57 million customers and drivers, the company has confirmed.
The exposure of the breach, which happened in 2016, has meant the company’s security officer Joe Sullivan was fired.
In the UK, the Information Commissioner’s Office said it had “huge concerns” about Uber’s cover up of the hack.
The UK data regulator launched an investigation with the National Cyber Security Centre, part of GCHQ, to determine the true scale of the incident last year.
The taxi company admitted the breach yesterday after sacking Joe Sullivan, the chief technology officer who oversaw the response alongside Travis Kalanick, the disgraced former chief executive. Uber has not yet disclosed how many British customers were affected. It is believed that Uber has at least six million users in this country.
After they were approached by the hackers last October, Uber’s bosses chose to pay the criminals $100,000 (£75,000) to keep the breach quiet.
Former chief executive Travis Kalanick knew about the breach, according to Bloomberg who first broke the story. The response was to pay hackers $100,000 (£75,000) to delete the data.
The hackers found 57 million names, email addresses and mobile phone numbers, Uber said.
Within that number, 600,000 drivers had their names and licence details exposed. A resource page for those affected has been set up.
Whilst drivers have been offered free credit monitoring protection, customers will not be given the same.
This decision comes as no surprise to one of Uber’s former customers who lost hundreds of pounds after her account details were hacked.
Journalist Siobhan McFadyen said, “I received a telephone call from a Chinese takeaway restaurant in London saying that £300 had been charged to my account over a series of orders and I checked my account and the money had been removed.
“I tried to get in touch with Uber but they don’t have a number for customers so I eventually got a vendor number and called through and was on the phone for hours and they did nothing. I repeatedly emailed head office and they did nothing, initially denying a hack so I announced it on twitter.
“When I asked for compensation I was told no. I tried reporting this to trading standards who informed me that I’d have to go through a process of pursuing them via the authorities in Amsterdam. I reported my complaint to them and heard nothing. How a company is allowed to raid your bank account pay off hackers who have stolen your data and escaped fines due to their conveniently located tax avoidance hideaway is an actual scandal.
“I immediately cancelled my account and spoke to others online who had been hacked. I’d love a great lawyer with taste for class action to take them to town for it.
“The UK authorities are struggling to keep this law breaking company in check. I for one think their brand is tarnished especially in relation to sex assaults against women in their cars in the UK. Some may say I’m in the minority but I feel that other services providers are out there who actually care about customers. That’s my bottom line.”
Uber’s new chief executive Dara Khosrowshahi said the company had ‘not seen evidence of fraud or misuse tied to the incident.’
“We are monitoring the affected accounts and have flagged them for additional fraud protection,” he added.
“None of this should have happened, and I will not make excuses for it.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
But Ms McFadyen said she had seen “no evidence of good, honest business practise from this smoke and mirrors enterprise that facilitated a fraud on my bank account” and added, “perhaps he should put his reading glasses on?”