
Uber Database Breach Exposed Information of 50,000 Drivers, Company Confirms - rockdiesel
http://techcrunch.com/2015/02/27/uber-database-breach-exposed-information-of-50000-drivers-company-confirms/
======
therobot24
Data accessed on 5/13/2014, uber noticed on 9/17/2014, and then notifies
affected on 2/27/2015\. Thankfully it was _only_ names and plate numbers, but
still...

All I see from uber is bad publicity and poor management decisions. I wonder
what it's like to work there from an insiders perspective, cause from the
outside it doesn't look good.

~~~
joshmlewis
I'm not defending them on this because that does seem to be a long enough time
to be more proactive about it. You did bring up an interesting point though,
Uber is facing opposition from almost every city they are in. Whether it's
small town South Carolina where I'm from and even in some of the largest
cities in the world. It would be interesting to see how people deal with this
on the inside and how it affects the culture.

~~~
Kalium
Uber's in a position where they get flak for breaking the rules while also
being painfully aware that following the rules is worse for them. They face
opposition, but every time they play nice it doesn't go well for them.

The lesson here is that sometimes, you do much better by breaking all the
rules.

~~~
TeMPOraL
Well, if the only way you can make business is to break laws and be total
assholes to everyone, then it kind of strongly suggests you shouldn't be in
business in the first place.

~~~
dmak
I am not suggesting that they should be assholes, but do you think Napster won
the war by playing by the rules?

~~~
philrapo
what war did napster win?

------
nathanmock
I accidentally stumbled upon employee admin screens, all by changing a key,
isAdmin = true.
[https://news.ycombinator.com/item?id=9121004](https://news.ycombinator.com/item?id=9121004)

~~~
bhauer
How in the world did you only get 8 points for that? I've upvoted yours. That
seems almost as bad as the incident reported in this thread.

~~~
onewaystreet
Because it's just the UI, you can't actually use it without an admin account.
It's really not an issue at all.

~~~
nathanmock
This is a good point, but there should be more awareness towards the issue as
a whole. I've seen many apps who expose data dangerously. Some developers may
not be aware that these values are exposed (even with SSL), so they should
architect their apps accordingly, reinforcing the fact that you should never
trust the client. I also briefly touch on the fact about this dynamic
architecture and some of the implications it brings.

~~~
tracker1
You mean throwing up a Meteor app with a direct db feed and no fine grained
security at the server side can lead to exploits?

------
anseljh
Under California law, data breach notifications "shall be made in the most
expedient time possible and without unreasonable delay".

Civil Code § 1798.82(a):
[http://leginfo.legislature.ca.gov/faces/codes_displaySection...](http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.82)

I find it hard to square that requirement with Uber waiting 5 months from when
it found out.

~~~
tomjen3
That is a bunch of lawyer words that they can stretch to mean anything. What
we need are hard deadlines, say two days after the breakin. Not enough to full
find out what happens, but enough to force the companies to act.

~~~
anseljh
It's soft language, but I don't think they can stretch it to mean "anything."
5 months is just way too long.

------
cmurf
Congress needs to stop pissing in the wind and make a federal law on breach
disclosure. Self evidently companies won't universally do this on their own,
and state specific law makes compliance more difficult and expensive.

~~~
tlrobinson
How would such legislation ensure companies are able to detect such breaches
in the first place? For every Target/PSN/Anthem/Uber how many companies aren't
even aware they've been breached?

~~~
cmurf
Withholding knowledge of a breach is self-rewarding which is why there needs
to be a law stating the time frame for disclosure, and either penalties or
liablity (per affected customer, employee, contractor, vendor). Lack of skill
in detection is a problem, but I don't know whether Congress is well equipped
to legislate that, and also companies aren't exactly incentivized to just let
themselves get completely owned. They're just ignorant. There's no question
this behavior is changing, even if we're dissatisfied with how slow it's
happening.

I mean, the average Congresscritter probably has no idea what the typical
answer is to "how do you do a password reset?" other than "call daughter/son".
They're not good at establishing competency. They are sorta half way decent at
bringing out the hammer "disclose what you know within X days, or we're going
to fine you... when we do find out when you knew it."

So that brings up the question how the legislation determines whether and
exactly when the company knew they were breached. And I'd say they should
learn from history which is not to be such dicks like they were with hackers
in the 80's and 90's and instantly criminalize disproportionately. We were
learning things as a result of all of that, and by repressing it, we learned a
lot less. So with companies I'd say up front the disclosure needs to be civil
in nature (fines), and if there's willful hiding of what they know, tampering
of evidence, destruction of evidence in an attempt to claim they didn't know
they were breached or how badly, then it becomes criminal and lay down the
hammer. Ultimately though, the worst punishment is up to the states, since the
corporate charter is granted by states, not the feds. Off hand I can't think
of a case where a corporation was executed in this manner though (revoking
it's charter or articles of incorporation).

------
ryan_j_naughton
As much as Uber messed up here and there was a security breach, comparable
information is publicly available. For example, the TLC in NYC provides this:

[http://www.nyc.gov/html/tlc/downloads/excel/current_medallio...](http://www.nyc.gov/html/tlc/downloads/excel/current_medallion_drivers.xls)

This is a spreadsheet containing all the taxi drivers in NYC with their names,
license numbers, and license expiration dates. Given that the only information
leaked (according to Uber) were names and license numbers, that really isn't
much beyond what might otherwise be available publicly.

~~~
un1xl0ser
Those are medallion numbers or TLC license numbers, but not drivers license
numbers. They can't be used for identity theft.

------
eddiezane
The TechCrunch article says "license plate numbers" but the Uber post[0] says
"driver’s license number".

[0] [http://blog.uber.com/2-27-15](http://blog.uber.com/2-27-15)

~~~
sschueller
In Massachusetts the driver's license number used to be your social security
number. This was changes but are there other states that have not done so?

------
jheriko
"cowboys get stung by being cowboys"

the number of f*cks i can give for the company is so low. just feel sorry for
all the drivers with the leaked information...

------
berberous
Uber really needs to have a public data retention policy stating that they
anonymize or delete all data older than a couple weeks. I'm just waiting for
them to be hacked and have to reveal that people's trip data for years has
been released.

~~~
dredmorbius
Not just Uber.

Obama's proposing data privacy regulations. I think it's worth considering
what you'd like to see involved in same.

~~~
paulannesley
Meanwhile, Australia is about to legislate mandatory data retention :(
[https://stopthespies.org/](https://stopthespies.org/)

~~~
rietta
A data retention policy can state that you delete all non-operational data
after 60 or 90 days. Or that it is moved to one-way encrypted storage for up
to a year. In other words, it can be a security mechanism vs "we keep
everything in the SQL database, forever" that tends to be the default in many
circumstances.

------
logn
> Uber says it will offer a free one-year membership of Experian’s ProtectMyID
> Alert

My ID has been breached twice in other, unrelated incidents. Each time these
ID protection companies want to know my SS# and all sorts of other stuff. My
heart skips a beat imagining them scraping the web for my SS# and CC# in an
otherwise well intentioned effort. I've refused their services and insist they
only provide the insurance policy associated with this.

~~~
Karunamon
It's pretty hard (actually impossible) to pull the information necessary to do
credit monitoring without your PII.

------
louwrentius
This incident - amongst many others - only shows that most companies don't
give a rat's ass about our data or privacy.

They are happy enough if their systems actually work and run. That's enough
for them.

This incident won't cost Uber anything. It won't matter to them. A few
appologies here and there and that will be the end of it.

Maybe, maybe there is some trivial fine to pay, but that will be a rounding
error on their balance sheet.

------
crdb
I see a lot of comments about security, but would be happy to bet this was
simple social engineering and "human hacking". It's sobering to see large-ish
companies that give full read access (and sometimes write) of customer and
financial data to interns, fresh grads and new contractors for expediency.
Young people are cheap. $500 is a new computer or weeks of food to an indebted
student.

Management usually doesn't care, revenue and convenience trump security; until
of course something bad happens, which is why older institutions have
draconian access standards, meetings to discuss who has the right to know
about the meeting to determine the access list management program (true story)
and so on.

Nothing in the press release hints at an actual attack. "An unauthorized third
party accessed our database, and we immediately changed the password" sounds
like they realized one of their competitors hired an intern to get them a
login.

------
seanmccann
Last year Uber was using Backbone and the JSON returned to the client included
ALL information about the drivers you have used for trips including home
address, phone number, etc. I wonder if this has something to do with that?

~~~
joshmn
You could also use an auth token from the Android app and snoop around other
users if you knew some info about them, which you could if you had access to a
driver's phone (I did/do).

------
spdustin
And depending on the state, you can find out the driver's birthday, or even if
their real name is different from what is listed on their profile. The site at
[0] shows how many states use soundex coding and modulus arithmetic to encode
driver's license numbers with PII.

I'd be keen to see if every driver's info aligns with the license number (for
those states that use encoding systems that embed PII into the number).

[0]
[http://www.highprogrammer.com/alan/numbers/index.html](http://www.highprogrammer.com/alan/numbers/index.html)

------
martin_
I find it unlikely they have a database explicitly for driver names/license
plates. Unless it was some flat-file dump compromised. I'm curious how much
data was really obtained. If only 50k were truly stolen, it could be a shard
too. The lack of technical details is sketchy to me

~~~
MBlume
Maybe they have query logging turned on and saw what queries the attacker ran?

~~~
martin_
Definitely plausible, and I hope so --- but there's no clarification of that
or technical insight.

------
bobofettfett
Why does sec get breached? Marketing wants easy access to all data, that's it.
Big Data / deep learning wants easy access, lots of data is in transit.
Security is not convenient for operations, therefor companies have sec on
paper and audits and stuff but no real sec.

------
codewithcheese
The free one-year membership of Experian’s® ProtectMyID® Alert is genius, its
giving away something that costs them nothing (presumably Experian are using
this as a marketing opportunity) as if it's a real step in the right direction
to make up for the data leak.

~~~
chambo622
Virtually every breach disclosure press release I've seen has included a line
like this, as if it actually matters. Common practice.

------
anseljh
Here's a sample of the notification that went to affected "driver partners":
[http://oag.ca.gov/ecrime/databreach/reports/sb24-48540](http://oag.ca.gov/ecrime/databreach/reports/sb24-48540)

------
coldcode
And apparently Uber has filed suit against github:
[http://www.theregister.co.uk/2015/02/28/uber_subpoenas_githu...](http://www.theregister.co.uk/2015/02/28/uber_subpoenas_github_for_hacker_details/)

------
freehunter
I work in info sec, and in one of the "Who's Hiring" posts a few months ago
(do we still do those? I haven't seen one in a while) I asked "why are
startups never hiring security guys?", because I never see a security engineer
position open in those topics. I never got a response. To me that indicates
the response is "we don't".

Listen, guys. I don't care how small you are. If you are handling PII or
credit card data or anything that, if leaked, would harm your business or your
customers, _you need a security guy_. Not a programmer who knows some security
stuff. Not a manager who checks off the online PCI self-assessment. Not "we
outsource to an MSSP". At least one security guy, full time. Make sure that
everything you do is run past that person. If you're so busy that you can't
run everything past that person, hire another.

It's not a joke. Stop fucking ruining people's lives. It's 2015, four years
past "the year of the breach" [1]. Get with the program. It's not okay to have
a breach. It's not. It doesn't matter how much money you saved from not having
a security guy or the tools they need. Get someone who knows what they're
talking about and _listen to them_.

[1] [http://news.softpedia.com/news/IBM-2011-is-The-Year-of-
the-S...](http://news.softpedia.com/news/IBM-2011-is-The-Year-of-the-Security-
Breach-224465.shtml)

~~~
forrestthewoods
"Stop fucking ruining people's lives"

Serious, legit question here. How many lives will be ruined by this breach of
50k? How many lives were ruined when 40 million CCs and 70 million accounts
(address, phone number , etc) were stolen in the Target breach?

Ruin seems like an awfully strong word here. I hesitate to say that because I
don't want to downplay the importance of security. But to take security
seriously I think we also have to be non-hyperbolic about the consequences of
not doing so.

~~~
imnewhere
I think you're going to need to define what a ruined life is. I doubt getting
a replacement credit card in the mail will ruin someone's life under most
definitions.

~~~
forrestthewoods
One time I got an e-mail from Amex saying my account may have been compromised
and to click a link. Fearing a phishing attempt I went direct to their website
and logged in. A big red banner said to contact them ASAP. I called a number
they gave. They asked if I ordered plane tickets for Turkey. I said no. They
said ok, no worries, they auto-blocked the purchase. We went through my
history to make sure everything else was correct, it was. The card was
cancelled and they mailed a new one overnight. It was under 22 hours from
e-mail to new card in hand. I was very impressed.

My sister has info stolen from a fake pad at a gas station. It was a debit
card. She got all of her money back but it took close to 6 weeks to fully
resolve. If you live paycheck to paycheck, and at the time she wasn't too far
off, that can be a very difficult situation. It worked out in the end but it
was definitely painful for her.

By and large these are not "ruined life" events. Identity theft and fraud are,
unfortunately, common and mainstream enough that hitting "ruined life" level
is exceptionally difficult. Back in the 90s when the average person didn't
know those terms it might have been more common. But now it's just something
that everyone, individuals and corporations, have to deal with.

------
mrwarn
Is this a signal that we should expect another large round of funding for
Uber?

------
legulere
I hope the authorities got hold of this data to check which drivers aren't
paying taxes.

------
nastygibbon
No info as to _how_ this was exposed. Were they storing data as plain text?

~~~
notatoad
probably, yes. storing data in plain text is common practice and not really a
problem.

~~~
rietta
I would actively insist not storing PII in plain text unless there was
absolutely no way around it. And it may involve changing the business model to
enforce that certain data is not needed to be actively processed by the web
application in the ordinary course of business. This is part of the security
pushback phase that is essential that more developers adopt as a matter of
professional ethics.

------
bobofettfett
Why is data lost all the time?

Because lists of data exist.

Why do they exist?

Because everyone is using Excel.

------
archlight
the amazing thing i found uber is after all the gaffe, privacy leak and maybe
more. it still grows in such a speed. it surely means something big

------
ukigumo
Is this what a 40 billion dollar startup looks like?

~~~
kmfrk
You're officially a billion-dollar corporation, when you start being careless
with people's private data. :)

~~~
ukigumo
Ok you got me there. :-)

I just think that this is a company with no product, no business model,
horrendous business practices and somehow their valuation is still higher than
the entire market they operate in. At least their not selling the data to the
IRS, right?

------
unimportant
On an unrelated note - does anyone want to be a co-founder of an uber
competitior?

I got 50k drivers ready to drive for us. :P

------
nedwin
Good to get this news out there on a Friday afternoon.

------
Trisell
Between this breach, and the impending classification as a cab company by more
and more major cities. I think that we can consider Uber to be either the
walking dead or something very close to it at this point.

~~~
skuhn
I think it's a bit premature to count Uber out. They have an absurd amount of
money in the bank, and they take on a very small amount of the risk of their
business. I don't think that this data breach will have the slightest impact
to their bottom line.

If they get classified as a cab company in a particular market, they'll sue.
If they don't get their way, they'll exit the market. They could also move
into other businesses which are clearly not cabs, as shown by their dabblings
in courier and delivery services. Consider how many startups are paying people
to drive things from point A to point B -- that entire industry could be
outsourced to Uber.

If they do exit a market, they won't lose anything besides face -- it's the
drivers who will carry all of the capital investment and most of the operating
costs, they're the ones who will be hurt.

