Security News

Uber takes breach victims for a ride and pays

Avast Security News Team, 28 November 2018

Around 64 million victims were not told they were hacked — were you one of them?

The UK’s Information Commissioner’s Office (ICO) and the Dutch Data Protection Authority (DPA) have each levied fines on international car service Uber to the tune of a collective £900,000. The fines were charged for, in the words of the ICO, “failing to protect customers’ personal information during a cyberattack” as well as allowing their system to be hit by an “avoidable” security problem.

We reported on this data breach back in March, but at that time the situation had not yet been fully investigated. The cyberattack struck the company in 2016 when a 20-year-old American hacker used credential stuffing to expose the accounts of 57 million passengers and 7 million drivers. In a remarkably unethical reaction to the cyberattack, instead of alerting account-holders that they’ve been hacked, Uber kept it quiet, paying off the hacker with $100,000 to simply go away and delete the stolen data.

Names, phone numbers, email addresses, and driver’s licenses were compromised in the hack. In their official statement on the matter, Uber CEO Dara Khosrowshahi provides links compromised riders and drivers can click in for further info, but he says no action is required at this time by the hacked account owners.

While £900,000 is no small amount, Avast Security Evangelist Luis Corrons notes that Uber would have suffered more dire consequences if the breach had happened today. “We might be seeing cases like this with even bigger fines in the near future,” says Luis. “With GDPR now in place, even failing to communicate the breach within seventy-two hours brings a fine for any company, let alone what Uber did here.”

If you worry your info might have been exposed in the Uber breach, Avast recommends these actions to ensure your safety:

  1. Change your passwords — It’s the easiest change to make, and one of the most effective measures you can take. So often, these large-scale data breaches involve old passwords that are still in use. If you use any passwords that have remained the same for longer than six months, change them tout de suite. For ready-to-use complex passwords, use the free Avast Random Password Generator.

  2. Get a copy of your credit report — In the US, you are entitled to a free copy of your credit report once a year. Go to AnnualCreditReport.com to request yours. Stay in tune with your credit score and make sure it accurately reflects your spending habits.

  3. Consider a credit freeze — If you sense something is amiss and want to temporarily freeze your credit, there’s good news. The Equifax breach last year triggered a new awareness of consumer rights, and as of September this year, it is now free to freeze and unfreeze your credit at each of the three major credit bureaus — Experian, Equifax, and TransUnion.


    Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

    Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.