Uber Database Breach Exposed Information Of 50,000 Drivers, Company Confirms

Uber announced today that its database was breached by an unauthorized third party last year. The company confirmed the breach in a company blog post published this afternoon, authored by Uber’s managing counsel of data private Katherine Tassi.

The breach, which occurred on May 13 2014, revealed the names and license plate numbers of approximately 50,000 drivers across various states. Uber says that the number of drivers who had their information exposed during the breach represents “a small percentage of current and former driver partners” and that thus far, there have been no reports of misuse of the information that was exposed.

Uber is currently notifying the drivers.

Uber said in the post that it discovered a breach occurred in September 2014, and that it subsequently immediately changed its access protocols and began investigating. The company hasn’t specified why it waited this long to publicly disclose the breach or notify the drivers affected.

Uber says it will offer a free one-year membership of Experian’s ProtectMyID Alert, which is an identity theft protection service, to the drivers that have been affected. The company has also filed a “John Doe” lawsuit to discover the identity of the hacker.

Here’s a full transcript of Uber’s blog post:

In late 2014, we identified a one-time access of an Uber database by an unauthorized third party. A small percentage of current and former Uber driver partner names and driver’s license numbers were contained in the database. Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access. We are notifying impacted drivers, but we have not received any reports of actual misuse of information as a result of this incident.

Uber takes seriously our responsibility to safeguard personal information, and we are sorry for any inconvenience this incident may cause. In addition, today we filed a lawsuit that will enable us to gather information to help identify and prosecute this unauthorized third party.

Here’s what we know:

  • On September 17, 2014, we discovered that one of our databases could potentially have been accessed by a third party.
  • Upon discovery we immediately changed the access protocols for the database and began an in-depth investigation.
  • Our investigation revealed that a one-time unauthorized access to an Uber database by a third party had occurred on May 13, 2014.
  • Our investigation determined the unauthorized access impacted approximately 50,000 drivers across multiple states, which is a small percentage of current and former Uber driver partners.
  • The files that were accessed contained only the name and driver’s license number of some driver partners.
  • To date, we have not received any reports of actual misuse of any information as a result of this incident, but we are notifying impacted drivers and recommend these individuals monitor their credit reports for fraudulent transactions or accounts.
  • Uber will provide a free one-year membership of Experian’s® ProtectMyID® Alert. If impacted driver partners have questions or need an alternative to enrolling online, please call (877) 297-7780 and provide the Engagement number listed in the notification letter.
  • We have also filed what is referred to as a “John Doe” lawsuit so that we are able to gather information that may lead to confirmation of the identity of the third party.