Beleaguered taxi firm Uber has accidentally revealed the personal data of hundreds of its drivers, exposing names, social security numbers, pictures of drivers licenses, tax forms and other sensitive information.
An anonymous Uber driver speaking to Motherboard, said he discovered other people’s data when he tried to upload a document to his account.
He said that when he refreshed the page, which should have only displayed his own details, he was instead met with a screen full of other drivers’ information:
When I looked closer, it might have been the database of Uber drivers that are taxicab drivers that have access to Uber. There were a lot of taxi certification forms and livery drivers licenses and W-9 forms with Social Security numbers for taxi cab companies.
A few hours later Uber confirmed the issue, saying it had affected no more than 674 of its US drivers and less than a thousand documents had been viewable by other registered drivers who were logged into their accounts:
We were notified about a bug impacting a fraction of our US drivers earlier this afternoon. Within 30 minutes our security team had fixed the issue. We'd like to thank the driver who drew it to our attention and apologize to those drivers whose information may have been affected. Their security is incredibly important to Uber and we will follow up with them directly.
According to Gawker, the accidental exposure of drivers’ information was linked to the release of a new Uber Partner app designed by the company “to give drivers more information so Uber works better for them.”
The app allows drivers to manage their accounts and track their fares, and acts as a hub for new recruits to upload their documentation including scans of Social Security documents and driver’s licenses – the exact type of information an identity thief could have a field day with.
As many of you will already know, Uber has something of a poor reputation when it comes to protecting user and driver data.
Only last month, Motherboard ran another story in which it revealed how the company was not logging users out when they reported their accounts were hacked and asked for a password change, a situation that allowed the intruders to continue hailing rides from compromised user accounts long after they had been breached.
Continuing the same theme, we explained last month how hacked accounts – picked up for as little as 40 cents on the dark web – were being used by fraudsters to book rides in China, a problem potentially not helped by Uber’s insistence on emailing out new passwords in plaintext.
Earlier this year we reported how the company’s driver database had found its way onto GitHub, exposing the details of some 50,000 drivers.
This breach is now being loosely linked to competitor Lyft, after Uber discovered how an IP address – allegedly associated with Lyft’s CTO, Chris Lambert – had accessed the database using a key leaked on GitHub. Lyft has denied any wrongdoing.
Then there was the internal lost and found database which exposed customer data after being published and then left online.
Another of Uber’s privacy debacles involved a job applicant who was given unrestricted access to customer data both during his interview and for several hours afterwards.
While the hiring of car-hacking security researchers Charlie Miller and Chris Valasek may help Uber lock down security on its planned use of driverless cars, the company still has work to do protecting privacy of drivers and customers.
Uber has in the past reacted badly to criticism of its security practices by journalists, on occasion violating their privacy – one executive suggested exposing potentially embarrassing information on any who criticised the company; another journalist was tracked because she was late for a meeting with the firm.
Looks like ex-Facebook and now Uber CSO Joe Sullivan still has his work cut out.