Uber’s Ex-CEO Paid $100K To Silence Hackers Who Obtained 57 Million Users’ Personal Data In 2016 Breach

Taking into account the recent spike in Uber account hacking incidents in Singapore, Uber users may now have one more reason to be on high alert.

It now seems that 57 million Uber users’ personal data have been compromised in a 2016 hacking incident. This was announced belatedly on Tuesday (21 Nov) by Uber’s new CEO Dara Khosrowshahi.

What’s worse is that despite Uber’s co-founder Travis Kalanick’s knowledge of the breach in 2016, he allegedly agreed to buy the hackers’ silence and deletion of the data for USD100,000. Yikes.

So should Singapore Uber users have any cause for concern? To find out, we’ll have to take a look at how it all went down.

Grand Data Theft Auto

According to BBC, hackers gained access to a private GitHub server and obtained the login credentials of Uber engineers.

Using their login information, the hackers then accessed user data stored on an Amazon Web Services account. This is an account that utilises Amazon’s cloud computing service to store company related data.

Once the hackers had gotten their hands on the data, they contacted Uber directly and asked for cash in exchange for their silence and deletion of the data.

In total, the hackers stole personal information from 57 million customers and 7 million drivers.

The personal data stolen included names, email addresses and mobile phone numbers of riders. About 600,000 drivers also had their driver’s license information leaked.

Fortunately, social security numbers, credit card details, and trip location information of the riders were not part of the data breach.

The plot thickens

Apparently, Uber’s new CEO only found out recently that the breach happened and felt it necessary to inform the public. This comes a full year after the incident occurred.

In response to the breach, Uber has fired Chief Security Officer Joe Sullivan, the man allegedly who took the lead on keeping this incident under wraps.

According to Uber, no “evidence of fraud or misuse tied to the incident” has been uncovered so they do not believe the data accessed was ever used illegally. However, they also refuse to disclose who masterminded the theft.

Uber has promised to continue monitoring the affected accounts and have already flagged those affected for “additional fraud protection”.

Unlikely connection to Singapore account hacking incidents

Singapore users have reportedly been experiencing a recent spike in Uber related credit card frauds, mostly involving unauthorised charges for overseas rides to their personal credit cards linked with the Uber accounts.

In some cases, these mischarges have even amounted to thousands of dollars worth of rides. A brief glance at a Reddit thread started by a person experiencing a similar scam proved worrying, as many Singaporeans shared similar experiences.

However, we should not be too quick to draw the link to Uber’s recently announced data breach.

Uber Singapore has not stated officially that affected accounts include local users. Most importantly, no credit card information was reportedly lost in this data breach.

Previously, Uber Singapore has clarified that there are a “myriad (of) reasons” why such ‘phantom rides’ occur. This includes the user’s own responsibility in “safeguarding personal information security” and whether the device itself “has been compromised”.

They have also repeatedly assured users that payment information is always encrypted when entered into the Uber app.

Unfortunately, what they haven’t been able to explain is why hackers could exploit their app to create these fradulent transactions in the first place.

Join the resistance

It may be tough for Uber to regain the trust of their users on the back of this data breach. Though no definitive link may be made to local hacking incidents, data protection and account security are clearly concerns that Singaporeans hope Uber will address promptly.

If you suspect that your payment information has been stolen or if you’ve experienced a similar scam on your Uber app, do contact your bank immediately.

Uber’s support team has confirmed that they will work with banks to refund all unauthorised trips.

Anyway, when it comes to Singapore’s public transport, we can always turn to other alternatives. With the exception of our MRT of course, especially in the light of recent inexplicably shocking accidents.

Or maybe, we could consider joining the resistance instead.

Featured image from Uber Singapore’s Facebook