Thousands of Uber customers are believed to have had their accounts hacked by Russians after users of the app reported being billed in roubles for taxi journeys they had not taken in Moscow and St Petersburg.
More than 800 people in Britain and the United States have complained on Twitter that their accounts were taken over in the past year, The Times found, with the number of reports spiking in April and May. Experts said this number of Twitter reports suggested that the true figure would be much higher.
On Tuesday Uber revealed that the data of 57 million customers had been exposed in a hack in October last year. The Information Commissioner’s Office (ICO) has begun an investigation and said it had “huge concerns” about the company’s security and ethics.
It was not clear last night whether the accounts hijacked by Russians were compromised in last year’s hack or in separate attacks. Uber claimed that there was “no evidence” of fraud or misuse of accounts resulting from the hack that it revealed on Tuesday and denied that Russians were involved, although it refused to name the culprits.
The ICO launched its inquiry alongside the National Crime Agency and security services to try to identify the perpetrators and establish the true scale of last year’s breach. Uber, which is based in California, has not said how many British customers were affected. The company is believed to have more than six million UK users.
Advertisement
In September Uber lost its licence to work in the capital after Transport for London deemed it “unfit” to run a taxi service. It continues to operate while going through an appeal process.
Uber, which paid the hackers $100,000 (£75,000) to keep quiet and delete the data, said it obtained assurances from them that the hacked information was destroyed. Experts accused the company of naivety, however.
At the time, Uber was wrangling with US regulators over previous failings including data mishandling, privacy violations and security complaints.
Customers whose accounts have been used in Russia said they believed that their data was sold on the dark web. In April, one user in Leeds wrote: “I’ve been hacked, someone in Moscow has used my account and charged my card £54.55.” Yesterday Lauren Rees, from Bromley in south London, tweeted: “I knew I wasn’t going bloody crazy when my details kept changing to a Russian phone number and details . . . Uber support were not helpful.”
The ICO said that the company could face steep fines for deliberately concealing the attack, which resulted in the loss of names, email addresses and phone numbers. Uber says it does not appear that credit card numbers, bank details, dates of birth, passwords or journey histories were downloaded.
Advertisement
The company said that it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week over their role in the incident. Mr Sullivan was formerly the top security official at Facebook Inc and a federal prosecutor. He declined to comment. Mr Clark could not be reached for comment.
Dara Khosrowshahi, Uber’s chief executive, said: “None of this should have happened. I can commit on behalf of every Uber employee that we will learn from our mistakes.”
How difficulties unfolded
February 2014 Travis Kalanick, Uber’s founder and chief executive, is criticised for sexism
November 2014 It is revealed that Uber uses software that enables staff to track the locations of users
October 2016 A London employment tribunal rules that Uber drivers are workers, rather than self-employed
Advertisement
March 2017 Mr Kalanick is captured on an Uber driver’s dashcam, swearing at him after he complained about the company’s treatment of drivers
June 2017 Mr Kalanick resigns, under pressure from investors
September 2017 Uber loses its licence to operate taxis in London, and appeals
November 2017 Uber discloses a hack of 57 million customers’ data
Q&A
Has Uber broken the law by concealing the hack?
In the US, yes. Companies there have a legal obligation to disclose hacks quickly. Solicitors said Uber had not broken the law in the UK but would have done so under stricter rules coming in next May. Under the incoming general data protection regulations, Uber would have had to disclose the fine within 72 hours of discovery or face a fine of 4 per cent of global revenue or €20 million.
Advertisement
Did it act illegally by buying off the criminals?
No. The payment of ransoms is not illegal, unless the proceeds are to fund terrorism, according to Susan Hall of the law firm Clarke Willmott. The High Court confirmed this in 2010 in a case relating to a ship seized by pirates in Somali waters.
How was the hack carried out?
The hackers somehow gained access to Uber’s GitHub account, where the company’s software engineers store code and track IT projects. There they found the username and password giving them access to customers’ data stored on a server owned by Amazon. Technology experts said that storing the login credentials in GitHub was a basic error.
Will this affect Uber’s appeal against TfL?
Transport for London stripped Uber of its licence to operate in the capital on the grounds that it was not a “fit and proper” company. Uber is appealing against that decision and can continue to operate while it does so. TfL wouldn’t comment yesterday but experts said it was likely that its lawyers would say the hack proved that Uber remained unfit.