Uber hack: Should you delete the ride-hailing app? This is what the experts advise

 
Caitlin Morrison
Follow Caitlin
Chaos Computer Club Annual Congress
Hackers accessed the details of 57m Uber users last year (Source: Getty)

Uber has been rocked by a wave of bad news over the past few months, including the departure of its co-founder and chief executive Travis Kalanick and the loss of its operating licence in London.

And there was more bad news for Uber last night as it emerged that the ride-hailing app had been hacked last year, affecting 57m users. The tech firm admitted that it failed to notify customers or regulators when the breach took place.

This morning, UK authorities confirmed they have launched an investigation into the cyber attack. James Dipple-Johnstone, deputy commissioner of the Information Commissioner's Office, said the concealed data breach "raises huge concerns around (Uber's) data protection policies and ethics".

So should users delete the app?

Richard Parris, chief executive of cyber security firm Intercede, says users should certainly consider doing so.

"Every time we as consumers use services like Uber, we knowingly share our personal information and we trust that those details are kept securely, away from the prying hands of cyber miscreants. If consumers can’t trust companies to keep their data safe, they ought to stop using their services," he stated.

“The data that Uber held appears to have been protected with basic authentication credentials – in all likelihood, a username and password. When secure alternatives are available that would have easily prevented this breach, that is a cavalier approach to security that ought to be outlawed.

"With the new GDPR legislation coming into force next year, it’ll be interesting to see the repercussions of this for Uber in the long term. Let’s hope this is a hefty warning to all companies on a textbook example of how not to handle a data breach."

Deeper issues

The news that Uber covered up a significant data breach is "unfortunately, unsurprising", according to Etienne Greeff, chief technology officer and co-founder of security service provider SecureData. Greeff added that while the breach was not on the same magnitude of previous examples, such as the Equifax hack earlier this year, and Yahoo's security issues last year, "it goes to show that big business seems to care far more about covering its own back than the people’s data that is compromised".

He also said it's clear there is a big problem with Uber's approach to customer security.

"This isn’t the first time Uber have been in the spotlight for not reporting a breach - this first happened in 2016 for a breach in 2014," Greeff added.

There is evidently something wrong here.

"Firstly there seemed to be no strong authentication, merely a password, for data stored on cloud infrastructure, and also the use of public cloud to store this incredibly confidential information, without the proper controls in place - frankly it’s staggering."

What action should you take?

David Emm, principal security at Kaspersky Lab, had the following advice: "It's not a good idea to routinely change passwords (if this is done frequently, it makes it more of a challenge to remember them – with the result that people choose simple, easy-to-remember but easy-to-guess passwords), but in a situation like this it’s essential to change your password if you think your details might have been leaked, or you think your account might have been hacked.

"It’s also good to use two-factor authentication, if an online provider offers it: this is where you are required to enter a second one-time passcode (sent to you via SMS, for example), in order to make changes to your account settings. This will ensure that the damage from a hack is limited.

"If you’re curious whether your details have been part of a data breach, websites like haveibeenpwned.com can let you know using only your email address."

Uber's response

Uber has said it does not "believe any individual rider needs to take any action".

"We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection," the company added.

"We encourage all our users to regularly monitor their credit and accounts, including their Uber account, for any issues."

Related articles