23 Nov 2017

Kiwi names, numbers and emails in huge Uber data breach

11:57 am on 23 November 2017

New Zealanders were among those affected by a huge worldwide data hack on Uber.


Photo: RNZ / Diego Opatowski

It emerged yesterday that Uber concealed a hack that affected 57 million customers and drivers, the company confirmed. The 2016 breach was hidden by the ride-sharing firm which paid hackers $100,000 (NZ$145,000) to delete the data.

A spokeswoman for Uber in New Zealand confirmed Kiwis were included in the data hack. She said none of the New Zealand users' sensitive information, such as credit cards or bank account information, was downloaded in the breach.

"However, some phone numbers, email addresses and names were downloaded. While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection."

It's not clear how many Kiwis were affected.

Uber said the New Zealand Privacy Commissioner has been informed.

A spokesman for the Privacy Commissioner confirmed the ride-share company had been in contact, but they did not provide any information about the number of people affected.

The data hack

The company's former chief executive Travis Kalanick knew about the breach over a year ago, according to Bloomberg, which first broke the news.

The hackers found 57 million names, email addresses and mobile phone numbers, Uber said.

Within that number, 600,000 drivers had their names and license details exposed. A resource page for those affected has been set up.

Drivers have been offered free credit monitoring protection, but per Uber's statement, affected customers will not be given the same.

"None of this should have happened, and I will not make excuses for it," he added.

"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."

In the wake of the news, Uber's chief security officer Joe Sullivan has left the company.

Uber did not confirm precise details of the hack, but according to Bloomberg's report, two hackers were able to access a private area of GitHub, an online resource for developers.

From there it is understood they found Uber's log-in credentials to Amazon Web Services. AWS is a cloud computing service used by companies to store data.

As is of the case, it will likely be the cover up that proves more bothersome for Uber than the hack itself.

Companies are required to disclose significant data breaches to regulators, something it has by its own admission failed to do in this case.