home Software Applications Uber cyber hacked – the repercussions

Uber cyber hacked – the repercussions

Mar 5, 2015

This post is also available in: עברית (Hebrew)

Following its official announcement last Friday, admitting its database was hacked, Uber has been taking legal action. The transport solutions app is pursuing legal means to trace the hackers. Its motion to court reveals the company’s own employees accessed the open source platform GitHub. Uber called on GitHub to disclose the IP addresses of anyone who had accessed the URL leading to Uber’s sensitive database. That link is no longer viable.

Cyber security and IT experts note that the motion Uber made to GitHub shows that an Uber employee or subcontractor saved the system’s entry code on the open source platform. This allowed hackers to break in and use the code to penetrate Uber’s database, complete with highly sensitive user data. Previous inspections have already revealed that a simple search within the GitHub platform renders numerous passwords – designed to safeguard sensitive projects and major corporations’ details – completely visible.

The break in took place on May 13 2014. Uber only discovered the hack last September. Some 50 thousand of the application’s user names worldwide were compromised, along with their driver licenses. Uber claims that right after they discovered they had been hacked, they changed the database protocols and blocked any access to unwarranted parties.

Uber’s admission to being hacked comes at a particularly sensitive timing. The company wants to feature its service in Israel as well. Yet, as in many countries worldwide, Israeli authorities too have heaped regulatory demands which put a damper on Uber’s operations. The company has spent recent months negotiating with the authorities to allow them to extend its transport solution to carpooling, and not strictly taxi services. Israeli transportation regulations does not allow this.

Nevertheless, having lobbied and advertised at length, Uber has succeeded in getting Israeli authorities and regulators to re-examine their respective positions. They agreed to study Uber’s global track record and then issue their ruling. Whereas Israeli regulators are mindful of costs and insurance issues, IT and cyber security seems least on their agenda.

This is hardly the first time Uber has gotten the wrong end of the stick when it comes to privacy and data security. Various publications attest that Uber’s employees have been too indiscrete with their use of various platforms with track the location of specific users. These stories gained momentum after it was revealed that Uber monitored transportation patterns of journalists who published bad reviews on the app.

Yet another PR fiasco unfolded when Uber showcased 30 prominent users’ movements. If that was not enough, a prospective employee said that as part of his job interview, he was given access to user accounts. He added he could still monitor the users quite a few hours after his interview was over.

The database hack, on top of these events prompted Senator Al Franken (D-MN), member of the Subcommittee on Privacy, Technology, and the Law, to send Uber a letter demanding clarifications concerning its privacy policy. The company replied saying it had limited access to its databases strictly to authorized personnel. Uber further claimed they changed the employees’ platform in favor of another, which masks the users’ identity. Company employees cannot access classified information without senior employees’ clearance.

Moreover, Uber said they adopted new protocols and procedures according to which clients’ data is to be deleted once they delete their accounts. Uber has also began to screen it employees, complete with background checks. The company further pledged to conduct more frequent checks and monitor its app more closely, as well as help users better understand its privacy policy.