These days we seem to have a cybersecurity incident every hour in the hour. It is understandable that a company is embarrbaded when a cybersecurity incident occurs and it is difficult to face it. Yesterday, it was Uber's turn to make an announcement about the private data of 57 million users worldwide. According to CEO Dara Khosrowshahi, the incident occurred in 2016 and two people accessed the Uber data stored in a third-party cloud service.
If you're looking for good news from this cybersecurity incident, Uber claims to have seen you have no access to travel history, credit card numbers, bank account numbers, Social Security numbers or birth dates. But other personal information was accessed, including the driver's license numbers of 600,000 US drivers. UU Other "personal information" was accessed for 57 million users, such as names, email addresses and mobile phone numbers.
In a blog post Khosrowshahi said:
As CEO of Uber, it is my job to set our course for the future, which begins with the construction of a company from which all Uber employees, partners and clients can be proud For that to happen, we have to be honest and transparent as we work to repair our past mistakes.
I recently discovered that at the end of 2016 we realized that two people outside the company had improperly accessed user data stored in a third party. service based on the party cloud we use. The incident did not violate our corporate systems or infrastructure.
At the time of the incident, we take immediate measures to protect the data and close unauthorized access by people. Later we identified the individuals and obtained guarantees that the downloaded data had been destroyed. We also implemented security measures to restrict access and strengthen controls in our cloud-based storage accounts.
You may be asking why we are talking about this now, a year later. I had the same question, so I immediately requested a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected people or regulators last year, prompted me to take several steps:
- I asked Matt Olsen, co-founder of a cybersecurity consulting firm and former general counsel for the National Security Agency and director of the National Counterterrorism Center, to help me think about the best way to guide and structure our security teams and processes in the future. As of today, two of the people who led the response to this incident are no longer with the company.
- We individually notify drivers whose driver's license numbers were downloaded.
- We provide these drivers with free credit monitoring and protection against identity theft.
- We are notifying the regulatory authorities.
- While we have not seen evidence of fraud or misuse related to the incident, we are monitoring the affected accounts and have marked them for additional protection against fraud.
None of this should have happened, and I'm not going to make excuses for it. While I can not erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, placing integrity at the center of every decision we make and working hard to gain the trust of our customers.
Uber users can obtain more information about this cybersecurity incident in this link provided by the company.
What do you think of this cybersecurity incident involving Uber? Do you think that announcing it a year after the fact is a problem? Let us know in the comments below or on Google+, Twitter or Facebook.