Ridester has learned that Uber is sending out notifications to more than half a million U.S. drivers this week, informing them that their personal data was part of the massive data breach Uber experienced 13 months ago in October, 2016.
The hackers stole personal data of more than 57 million people, according to Uber. This includes drivers and riders.
If you’re a driver and you haven’t received a notice yet, you can visit here and ask Uber directly if your personal information was part of the data that was stolen. They’ll get back to you shortly and let you know.
Uber May Have Violated Laws in 48 States by Not Informing Drivers Immediately
When Uber discovered this massive data theft in November 2016, they may have been required by law, in 48 states, to notify drivers and passengers immediately. However, their first formal notice is just now going out in November, 2017. That’s a whole year they went without informing drivers that their personal information was stolen and now in the hands of hackers.
If drivers had been informed of it sooner, as is likely required by law, they could have taken important steps to minimize or eliminate potential damage. But by being left in the dark for more than a year, Uber has put them at substantial risk of identity theft.
The more you learn about how electronic identity theft works, the more you realize that early notification is critical because there are many defensive actions you can take to protect yourself. But if you’re not informed, you lose the opportunity to protect yourself.
That’s why Uber’s failure to notify drivers and riders is so serious. They cost drivers the opportunity to protect themselves when that protection would have been most effective – which was just after the data was stolen. By waiting more than a year to inform drivers, any damage that was going to be done has most likely already been done. The bottom line is once thieves have your personal data (even if they promised Uber they wouldn’t do anything bad with it) – you have to assume that your privacy is lost forever and you have to actively protect yourself for the rest of your life.
Uber claims that they have “seen no evidence of fraud or misuse tied to the incident.” But how could they possibly know? And after all we’ve seen them do, does anyone really believe they’d admit to it if they had seen evidence of fraud and misuse? Uber is saying what they need to say to protect themselves. But in order to protect ourselves, we have to assume that this data has all been sold and misused already.
Understanding How Electronic Identity Theft Works
Identity thieves are very creative in getting the information they want. What they ultimately want is your name, social security number and any credit card or bank account numbers they can get. With those few pieces of information they can pretty easily get any other information they want. If they can also get your name along with your email address, phone number and home address, that’s a super win for them!
As far as riders go, thieves would theoretically be able to get their names, home address, email address and at least one credit card number. For drivers, they would be able to get all that, plus a bank account number and a driver’s license number. Fortunately, today driver’s licenses no longer contain social security numbers – but with a driver’s license number a thief is much closer to getting what he wants and they can do significant damage anyway to your name and reputation.
With this partial information, an identity thief could easily design an effective phishing attack around it. Phishing is a way electronic data thieves request confidential information either over the internet or by phone, under false pretenses. They’re basically “fishing” for information.
It works like this. Imagine, you get an email that looks just like one from Uber, and it’s sent to the email address Uber has on file for you. And they address you by the first name Uber has on file for you. How likely are you to realize that this email isn’t really from Uber? You see, the more real information they can put into a fake email – the more likely you will be to fall for their scam information request.
That’s why Uber should have notified every driver of this the minute they found out about it. And to this day they have still not notified every driver. Ridester has received reports that some drivers have been proactively notified within the last week – but those are only the drivers who Uber identifies as ones whose information was part of the stolen data. For the rest of drivers who Uber has not identified as having their information stolen, Uber has been completely silent.
I contacted Uber yesterday through their website to ask if they identified my information as having been stolen. They wrote back a few hours later and said, no. But they have never reached out to me to inform me that driver information was stolen and they have never warned me to be on the lookout for phishing messages. Yet they are fully aware of the many well-publicized phishing scams that have gone on this year involving drivers. Many drivers have had their pay instantly stolen when they fell for some pretty convincing phishing scams.
In fact, here’s an example of exactly the type of phishing scam I’m talking about, from Twitter user Dale Meredith who is a Microsoft trainer and an IT Security specialist:
In this phishing email, notice that on the From line it says it’s from “Uber”. That’s all most people will see. For those who look a little closer, they’ll see the full email address is “firstname.lastname@example.org”. That looks pretty legit and if you’re not paying close attention you’ll not even stop to think that Uber’s domain name is “uber.com” not “uberapp.co”. And you may not even notice it ends in .co instead of .com. And if you do happen to notice, you may not think anything about it.
For Dale who received this email, most likely when he first saw that the email was sent to the email address he has on file with Uber, he was probably momentarily fooled.
Almost all of these phishing emails though, have a dead give-away somewhere in the message text. Although this one was better than most, up until the last paragraph. In the last paragraph they say that Uber has partnered with Lyft and they’re asking people to sign up with Lyft! If that’s not a dead give-away then nothing is. But a person has to be pretty alert to see and notice something like that. A lot of people would be easily fooled by this email. They’ll click on the “Change Your Password” link, thinking they’re keeping their account safe. While they’re actually giving the scammers their Uber password.
Whoever sent this email, very likely got Dale’s email address from the Uber data breach.
What Personal Information was Stolen on Drivers?
Uber says the only personal information stolen from drivers’ accounts was their name and driver’s license number. However, I think at this point we have to take Uber’s word with a very large grain of salt. So, don’t assume that was all that was stolen. And don’t even assume your information wasn’t stolen if they tell you it wasn’t. It’s not certain that they really even know what all was stolen. Remember, the hackers had access to Uber’s data for a full month.
What to Do if Uber Says Your Personal Info was Stolen
- If Uber has you on the list of people whose data was stolen, they will enroll you, at no charge, to a year of free credit monitoring with Experian. However, Ridester recommends that all drivers, whether you’re on their list or not, should sign up for a free Credit Karma ID monitoring service as well.
- If you think you have already been the victim of identity theft, Ridester recommends reporting it to the FTC, here.
- Everyone should also change their Uber password and if you use that same password anywhere else, you should change it everywhere else you use it. It’s not a good idea, by the way, to use the same password for more than one login. Your passwords for every single site and app you login to should always be different. That’s because if a scammer gets your password from one data breach, such as this one with Uber, then they have your password for all your other accounts where you use the same password. They can easily login to your Lyft account or your Amazon account because they already have your email address, phone number and now password.
You may wonder how anyone could possibly keep up with different passwords for every account and that’s where password management software comes in. Just look up “password managers” on Google. Or, check out one of the biggest ones, LastPass. It works on computers, phones and tablets. And the nifty thing with phones and tablets is it can automatically log you into apps as well as web pages. You can literally have a different password for every one of your accounts without ever having to remember a single one.