For all the talk about 2017’s massive data breaches, 2016 is retrospectively shaping up to be a bigger year than previously thought. On November 21, Uber announced that hackers stole the personal data of 50 million of its customers and 7 million of its drivers. Sadly, the announcement came 13 months after the actual breach.
In October 2016, two hackers broke into a third-party server, absconded with the data, then demanded $100,000 in ransom to delete the stolen information. Uber not only paid the ransom, but forced the hackers to sign non-disclosure agreements and fudged the books to make the ransom payment look like bug bounty.
Whether you’re a regular Uber rider, have only used Uber a couple times to catch a ride, or even just downloaded their app and put your information in, this breach could apply to you. It’s possible that your name, phone number, and email address were stolen. Uber has a page specifically for riders that details how to get any help, though they say there’s currently no action riders need to take. Uber does not offer a way to determine if your information was compromised, so active or passive Uber riders will have to figure this out and deal with it on their own.
In addition to 7 million driver names, phone numbers, and email addresses, the stolen data also contained 600,000 driver’s license numbers. Uber says they will notify the affected drivers.
This is neither Uber’s first breach nor the first time it hasn’t been promptly disclosed. The new CEO Dara Khosrowshahi learned of the breach nearly two months before announcing it publicly, but ordered an investigation immediately and made the announcement after the investigation was complete. He also fired two people who were involved with this breach.
Uber isn’t the only transportation company to suffer a hack; in 2014, a local Chicago bank identified fraudulent account activity and found that Chicago taxis were the source, however that was much more limited in scope. But Uber’s hack seems, well, uber-bad because the New York attorney general fined them $20,000 for not reporting the 2014 breach, and they were simultaneously negotiating a privacy settlement with the FTC when this 2016 breach occurred.
But Uber will have to sort that out themselves. Let’s focus on the compromised information itself and what you can do about it if you think you may be a victim of the hack. If you’ve ever used Uber to catch a ride, or even just downloaded the app and put in your information, this will apply to you.
What can hackers really do with just your name, phone number, or email?
While it may not seem like information as sensitive as a Social Security number, a mobile number is all a hacker needs to track someone’s location, read texts, and listen to phone calls. Savvy hackers can even use your phone number to hack your bank or email. And if you have two-factor authentication enabled through your phone, all a hacker needs to do is say they “forgot” your password and have a new code sent to your hacked phone.
There’s even more that hackers can do if they get into your email, especially since nearly every online service is tied to an email account. Bad actors can hold your mailbox ransom, access your computer, get into your bank account, and far more.
Not all threats to your privacy are posed by advanced hacking techniques. In fact, nearly two-thirds of today’s hacking comes in the form of social engineering. Social engineering occurs when criminals use limited information, like a person’s email address or phone number, to manipulate others into revealing confidential details about the victim.
For many businesses, all it takes for a customer service rep to discuss a person’s account is a name and phone number. With a little convincing, a skilled identity thief can easily change the address on file, sign up for services at their home, or even close the account.
What can hackers do with your driver’s license number?
If you’ve ever driven for Uber, or if your driver’s license number was one of the nearly 11 million compromised in the Equifax breach, there’s a risk that a scammer could use your driver’s license number to pin traffic violations on you. If a violation goes unpaid long enough, it could turn into a bench warrant for your arrest.
Someone could also use your driver’s license number to create a synthetic identity, which is essentially a mish mosh of stolen and fabricated personal information that is ultimately harder to track than straightforward identity fraud.
While we can hope that the Uber hackers did indeed destroy the data they stole after receiving the ransom, hope alone is a risky tactic when it comes to your identity. And since hundreds of millions of people had their personal data exposed this year alone, the numbers aren’t really in anyone’s favor.
Here’s what you can do right now.
What to do if you think you were a victim of the Uber hack or any other attack
For PrivacyArmor users
If you’re a PrivacyArmor user, there’s only one step to take: Log in to your account. The portal will walk you through anything you need to do. Because PrivacyArmor already offers comprehensive credit report monitoring, there’s no need for you to manually monitor your credit reports. We’ll pick up on high-risk activity that often goes undetected with traditional reports.
If you happen to find that any part of your identity is exposed, remember that we offer fraud remediation and a $1 million identity theft insurance policy. We’ve got this.
If you don’t use PrivacyArmor
To check if your personal information has been compromised in this or any other hack, here are the things you can do now.
1. Obtain a copy of your credit report
Unlike the Equifax breach, Uber is not offering a way for you to tell if your information was compromised. So it’s better to play it safe and do it yourself. The first step is to get a copy of your credit report. Each of the large credit monitoring companies provides one free report every 12 months. If you haven’t pulled your free report yet this year, do so now with TransUnion, Equifax, and Experian.
Look carefully to ensure that everything on each of the reports is accurate, and make sure to keep the copies of your report so you can reference them in the future.
2. Monitor your credit
Get a service that will proactively monitor your credit scores and that will notify you when suspicious activity occurs. Note that many of these services will not protect you from sophisticated identity crimes, so you will bear the majority of the burden of proactive monitoring.
3. Consider freezing your credit or filing a fraud alert
You want to put a fraud alert on your credit report if someone has indeed misused your information. Putting a fraud alert on your credit account is free, and you only need to tell one of the three credit monitoring companies, as they’re obligated to tell the other two.
A fraud alert will make it harder for someone else to open accounts in your name, but mark your calendar because it only lasts 90 days. Just keep in mind that extending a fraud alert can be challenging, especially if you don’t have a police report.
Freezing your credit is a more secure and long-term solution than a fraud alert. Freezing your credit costs $10 at each credit bureau (so $30 total to freeze with all three), and you will have to call each company individually. A freeze will prevent anyone, even you, from opening an account in your name. If you need to open an account with your credit report, you can initiate a temporary thaw, though that also costs $10.
A credit freeze will not affect your credit score or prevent you from getting an annual credit report. If you want to learn more, check out the FTC’s credit freeze FAQs.
4. File your taxes early
Even though Uber says that no Social Security numbers were exposed in the breach, it’s still a good idea to file your taxes as early as you can, especially in light of this year’s Equifax breach. Doing so prevents anyone with your Social Security number from filing your taxes “for you” and receiving any refund you may be entitled to.