Uber Data Breaches: Full Timeline Through 2022

On September 15, a hacker connected with the Lapsus$ group announced that he had breached Uber. Uber appears to have been thoroughly compromised, with their source code and other internal systems implicated in the leak.

Below, we’ll go into the full history of Uber data breaches and privacy violations, starting with the most recent.

September 2022: Lapsus$-Affiliated Hacker Compromises Uber

On September 15, a hacker announced in Uber’s private Slack channel that he had breached the company. One security engineer described it to the New York Times as “a total compromise”, and stated that “They pretty much have full access to Uber.” Uber’s source code, internal databases, communication channels, and more were all compromised in the breach.

This appears to have been a social engineering attack. The hacker, who uses the alias “teapotuberhacker,” was able to successfully get past multi-factor authentication by repeatedly spamming an Uber employee with requests to grant access, claiming to be an IT worker. This same hacker has also claimed credit for the Rockstar Games breach.

In a statement released September 17th, Uber said they had found “no evidence that the incident involved access to sensitive user data (like trip history).” Uber has linked this breach to the Lapsus$ group, which has compromised companies such as Nvidia, Samsung, and Microsoft.

August 2020: Uber Eats User Data Found on Dark Web

In August 2020, the cybersecurity firm Cyble discovered personal information on Uber Eats customers and drivers on the dark web. In total, around 579 customer files were discovered, as well as personal data pertaining to 100 Uber drivers.

September 2018: Uber and FTC Finalize $148 Million Settlement for Concealing 2016 Data Breach

In September 2018, Uber and the Federal Trade Commission arrived at a settlement regarding two previous data breaches, in 2014 and 2016. Crucially, Uber had concealed the 2016 data breach, even though they were already under an FTC investigation at the time. In the end, Uber had to pay $148 million in penalties for covering up the 2016 data breach.

Per this agreement, Uber remains subject to further penalties should they fail to disclose future data breaches. The deal also required Uber to implement “a comprehensive privacy program and for 20 years obtain biennial independent, third-party assessments.”

November 2017: Bloomberg Article Reveals Uber Data Breach & Cover-Up

In 2017, Bloomberg published an article in which they revealed Uber had covered up a data breach in late 2016. After two hackers stole 57 million customer records, Uber paid them $100,000 to delete the data, and proceeded to sweep the incident under the rug – even while they were actively negotiating a settlement with the FTC regarding a previous data breach.

In response, Uber CEO Dana Khosrowshahi published a blog post in which he came clean regarding the incident and outlined the steps Uber was taking to protect against future data breaches. In it, Khosrowshahi stated that he only found out about the incident when Bloomberg’s investigation was underway; and, to be fair, he was not employed by Uber when it incurred.

August 2017: Uber Settles with FTC Over Data Security & Privacy Issues

In August 2017, Uber arrived at a settlement with the Federal Trade Commission. Part of this settlement pertained to “God View”, through which Uber tracked the location of specific journalists and celebrities. It also referred to data security issues, namely the May 2014 breach described later in this article.

By the time they arrived at this settlement, Uber had covered up another data breach, which occurred in late 2016. Because Uber they did not disclose this incident, the FTC withdrew from the August 2017 settlement, leading to a new settlement in 2018.

December 2016: Uber Pays Hackers $100,000 Following Security Breach

In November 2016, two unknown hackers emailed Uber’s Chief Security Officer, Joe Sullivan, to inform him they had exploited a vulnerability and looted personal data pertaining to 57 million Uber customers. In response, Sullivan paid the hackers $100,000 to delete the data and keep quiet regarding the incident.

Even though Uber was already subject to an FTC investigation at the time of the incident, they did not disclose the hack to the authorities. Instead, Sullivan communicated with then-CEO Travis Kalanick, who encouraged him to treat it as a “bug bounty situation” – referring to cases in which companies offer white hat hackers a bounty to identify vulnerabilities.

The incident finally came to light in November 2017, when Bloomberg reported on what had occurred. In response, Uber’s new CEO, Dana Khosrowshahi, asked for Sullivan’s resignation. Sullivan is currently facing multiple charges related to the incident, including obstruction of justice, concealment of a felony, and wire fraud.

For their part, the two hackers were eventually caught: Brandon Charles Glover and Vasile Mereacre were indicted in 2018 for trying to extort Lynda.com. In 2019, they both pleaded guilty to their role in the Uber hack as well.

December 2016: Lawsuit Claims Uber Employees Tracked High-Profile Individuals

In December 2016, a lawsuit was filed claiming that Uber employees were tracking high-profile individuals without just cause, including some politicians and celebrities. While Uber had placed restrictions on “God View” (then rebranded as “Heaven View”), the lawsuit claimed improper tracking activities were ongoing.

The lawsuit made the news not long after a version of the Uber app was released that had the ability to track user whereabouts even when they weren’t using the app. According to a November 2016 report, the new permissions didn’t sit well with many users, particularly since they weren’t given the option to allow location tracking only when the app was operating.

November 2014: Uber Uses “God View” to Track Journalists and Celebrities

In November 2014, Uber executive Josh Mohrer used Uber’s “God View” to track the location of a Buzzfeed reporter. This “God View” was widely accessible to Uber employees, and the story prompted public outcry against Uber’s privacy violations.

As “God View” came under fire, Uber attracted additional scrutiny when another Uber executive, Emil Michael, talked about harassing journalists in a dinner conversation. In response to these incidents, the New York Attorney General fined Uber $20,000 in January 2016.

May 2014: Hacker Accesses Over 100,000 User Records

In May 2014, a hacker accessed sensitive records on 100,000 Uber users. The data was stored in plain text on an Amazon Web Services server. The access code to the data store had ended up on GitHub after an Uber software engineer shared code on the platform, giving anyone with the code full administrative privileges on that particular server.

Once in the server, the hacker accessed a single file. That file contained Uber driver information, including 100,000 names and driver’s licenses, as well as 215 name, bank account, and routing number files and 84 name and Social Security number combinations. Other sensitive information was also in the file.

September 2011: Uber Uses “God View” to Show Off Users’ Location

In September 2014, tech entrepreneur and writer Peter Eagle Sims relayed a story about Uber’s invasive “God View”, which he discovered in 2011. Through “God View”, Uber executives could track the location of specific users.

Sims became aware of God View when a journalist texted him from Uber’s Chicago launch party in 2011. As a party trick, Uber was displayed the locations of specific users in front of guests. This is the first known incident involving God View, which was widely available to Uber employees from 2011 through 2017.

We did not find any earlier records of data breaches or privacy violations involving Uber.

Leave a Comment