Some 57 million Uber users’ personal information was exposed in October 2016 when the car-hailing company experienced a cyber attack, the company announced Tuesday — more than a year after the occurrence of the incident.
Bloomberg reported the company paid $100,000 to the hackers responsible for the attack to keep the breach private.
Dara Khosrowshahi, Uber’s new CEO who was appointed by the board in August, said in a statement that two people outside the company “inappropriately accessed user data stored on a third-party cloud-based service that we use.”
The attackers stole data of the 57 million people across the globe, including their names, email addresses and mobile phone numbers. About 600,000 U.S.-based drivers were among 7 million Uber drivers whose license numbers and names were exposed in the breach.
The data breach was the latest in a string of high profile cyber attacks that weren’t revealed until months or years later. Fortunately, it doesn’t appear that Uber users have to worry about any of their financial information being exposed. Khosrowshahi said no evidence indicated that trip location history, credit card numbers, bank account numbers, or dates of birth were stolen.
What was done?
After the attack happened, Uber “took immediate steps” to safeguard the data and blocked further unauthorized access to the information, according to Khosrowshahi. The company identified the hackers and made sure the exposed data had been destroyed. Security measures were also taken to enhance control on the company’s cloud storage.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
The company let go two employees who led the response to the incident on Tuesday, according to the statement. Uber is also reporting the attack to regulatory authorities.
What can you do?
Uber said no evidence shows fraud or misuse connected to the data breach.
Check out our guide on credit freezes and other steps you can take to protect your identity if personal information is compromised in a data breach.
If you are an Uber rider…
The company said you don’t need to take any action. Uber is monitoring the affected accounts and have marked them for additional fraud protection, Khosrowshahi said. But you are encouraged to regularly monitor your credit and Uber accounts for any unexpected or unusual activities.
If anything happens, notify Uber via the Help Center immediately. You can do this by tapping “Help” in your app, then “Account and Payment Options” > “I have an unknown charge” > “I think my account has been hacked.”
If you are an Uber driver…
If you are affected, you will be notified by Uber via email or mail and the company is offering free credit monitoring and identity theft protection.
You can check whether your Uber account is at risk here.
Less than a week after the Equifax data breach was made public, it seems scammers are already looking for opportunities to prey on concerned consumers.
The Federal Trade Commission posted a scam alert Thursday warning consumers to not give their personal information to anyone who calls and claims to be an Equifax representative. Over the summer, hackers breached the Atlanta-based credit bureau’s database and accessed the personal information of about 143 million consumers, including sensitive information like Social Security numbers.
But Equifax is not calling those affected by the breach, so if you get a phone call from someone saying they represent Equifax and want to verify your account information, the FTC advises you hang up. It’s ironic, in a way, to target victims by posing as a concerned Equifax representative. The company has been criticized widely for its sluggish response to the breach, which occurred sometime between mid-May and July but wasn’t discovered until July 29 and wasn’t announced until more than a month later.
In response to the security failure, the House Committee on Energy and Commerce has demanded Equifax answer several questions about the breach, including why the company put off announcing the breach for so long. Equifax has until Sept. 22 to respond to the committee’s questions, and the committee plans to hold hearings on the breach in September or October.
In a company statement, Equifax CEO Richard Smith said the breach was a “disappointing event.”
“Confronting cybersecurity risks is a daily fight,” he added. “While we’ve made significant investments in data security, we recognize we must do more. And we will.”
In the breach, people’s Social Security numbers, dates of birth, addresses, and other personally identifiable information (PII) were compromised, so it’s understandable you’d be worried and are looking for help.
Here’s what you can do to take control of protecting your identity.
Assume you’re affected
While you can go to Equifax’s website and go through a multistep process to see if your information has been compromised, you can also just assume someone has their hands on your personal information. (It’s also worth noting the Equifax site reportedly isn’t reliable for telling you if you’re affected, and many consumers have reported the site is slow to load or doesn’t load at all.) Even if you weren’t among the 143 million whose personal information was compromised in this breach (and the odds aren’t in your favor), chances are it has been or will be in a breach at a different company or organization. With that in mind, you’ll want to focus on how to detect signs of identity theft and how to respond to them.
Monitor your credit
Equifax responded to the breach by offering free credit and identity monitoring to everyone — not just those affected — for a year through TrustedID Premier. You must go to equifaxsecurity2017.com to enroll, which requires entering your last name and the last six digits of your Social Security number. You’ll then be given an enrollment date, which may be several days after you start the enrollment process, at which point you can return to the site to continue enrollment. You’ll need to set a reminder to continue the process, as Equifax won’t send you a notification when it’s time.
You have many other ways to find out if someone has misused your personal information. Several companies offer free credit scores — Credit Karma, Discover, Capital One, Mint, LendingTree (our parent company), etc. — either to everyone or to their customers. To help you choose, we put together this guide to getting your free credit score. Credit Karma also offers a free credit monitoring service, and Discover cardmembers can sign up for alerts when their Social Security numbers are detected on suspicious websites. You can also pay for credit monitoring services from a number of providers, including the three major credit bureaus Equifax, Experian and TransUnion, as well as credit scoring giant FICO.
Consider a credit freeze
You can also freeze your credit so no one, not even you, can apply for new credit using your information. If you do this, you have to initiate a freeze with each of three major credit bureaus, as well as “thaw” each report when you want to apply for a new credit account. Every time you freeze and thaw your credit you may be charged a fee, which varies by state. This only protects you from credit fraud and does not prevent things like taxpayer identity theft, criminal identity theft, medical identity theft, and insurance identity theft.
On Sept. 15, Equifax announced it is waiving the fee for removing and placing credit freezes on Equifax credit reports through Nov. 21, 2017. Anyone who paid for an Equifax freeze at or after 5 p.m. EDT on Sept. 7 will receive a refund, the company said.
Have a plan for responding to identity theft
One of the best ways you can prepare for identity theft is to detect it early. After that, you need to know how to resolve it. You can do this yourself by filing a police report, disputing fraudulent accounts on your credit reports, and making the phone calls necessary to correct any problems stemming from the fraud. Or you could pay someone to help you with this time-consuming task. Check with your employer to see if they offer identity theft insurance or identity theft resolution services as an employee benefit, and if not, consider paying for it.
More than anything, remain calm as you sort through the fallout of this breach. Focus on making a plan for protecting yourself from and responding to identity theft and making sure you only deal with trustworthy service providers.
About 143 million consumers’ sensitive information has been compromised in what was one of the worst data breaches to date in size and potential impact on consumers. Credit reporting agency Equifax announced the breach Thursday, more than a month after detecting the intrusion.
Equifax is one of the three national credit reporting agencies (the others being TransUnion and Experian) and collects a wide variety of consumers’ sensitive and personally identifiable information (PII). The information on credit reports determines credit scores and is used in lending decisions, among other things.
The breach exposed the names, Social Security numbers, birth dates, addresses, and, in some instances, driver’s license numbers of about 44 percent of the current American population. Hackers also took the credit card numbers for about 209,000 U.S. consumers and dispute documents for 182,000 U.S. consumers.
In its announcement, Equifax said “criminals exploited a U.S. website application vulnerability to gain access” to the files. In addition to the millions of U.S. consumers affected, the company says the criminals had access to limited personal information of some U.K. and Canadian residents.
The Atlanta-based reporting agency said the thieves had access to the data from mid-May through July 2017, but it didn’t discover the breach until July 29. Equifax announced the breach more than a month after discovering it and hiring a cybersecurity firm to investigate.
The company says it’s also working with law enforcement authorities and that its investigation will be complete soon. Equifax has not said who they believe attacked their database.
What the breach means for consumers
The breach isn’t the largest to date, but it’s close. In 2016, Yahoo announced an attack that affected 500 million users. Another breach, announced just a few months later, involved 1 billion users. In those breaches, hackers stole users’ phone numbers and passwords.
The Equifax breach could be worse in impact, given the sensitive nature of the consumer data the company has on file. In its release, Equifax said it had found “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.” That doesn’t necessarily mean the information hasn’t been misused or that it won’t be misused, as signs of identity theft may not immediately show up on a credit report.
“If you were going to rate this breach from one to 10, this is a 10. The amount of sensitive info that is contained in the Equifax database is staggering,” says Adam Levin, founder of CyberScout and author of “Swiped,” a book on how and why consumers can protect themselves from identity theft.
When this level of information has been compromised, it “opens up the door for thieves to commit many different other types of identity theft. Not just financial, but criminal, government, medical theft as well,” says Eva Velasquez,the president of Identity Theft Resource Center.
Levin adds, when Social Security numbers are part of a database that’s been exposed, all of the individuals who have their numbers in that database will need to be “looking over their shoulders for the rest of their lives.” The Social Security Administration rarely changes someone’s Social Security number.
What to do now
First, don’t panic.
“People really feel violated when things like this happen,” says Velasquez. “Direct your energy from being angry or upset and feeling powerless to actually doing something and taking some steps to feel more empowered.”
Levin says the breach may add to “breach fatigue” — how the drastic rise in security breach causes consumers to believe breaches are inevitable and react to them apathetically instead of with urgency.
“But it shouldn’t,” Levin says. “It should be a clarion call. Unfortunately, as consumers we have to think of this as as if we’re alone. The government has failed us. The financial industry has failed us, and frankly we have failed ourselves. It’s important that we develop a culture of privacy and security.”
Find out if you are one of the impacted
Given the increasing threat and frequency of data breaches, everyone should be proactive in detecting identity theft. For this breach in particular, Equifax set up a website to see if you’re one of the people affected and how to enroll in the free year of credit monitoring it’s offering victims.
You’ll see a page with a large, rectangular button that says “Check Potential Impact” and a few lines of text.
The text explains that if you click on the link that says “Check Potential Impact,” you’ll be taken to a form that asks you to provide your last name and the last six digits of your Social Security number.
Based on that information, you’ll then be shown a message that says whether your personal information may have been impacted by the breach.
Regardless of the message you see, Equifax will give you the option to enroll in a credit monitoring service from TrustedID Premier. Beware: if you enroll, you’ll have to agree to waive some of your rights to sue Equifax. The arbitration clause is written in all caps in the company’s terms of service, but consumers may miss the language. The Washington Post reported earlier Equifax on Friday updated its terms to incorporate a way out of the arbitration clause.
Equifax cleared up the confusion Friday afternoon by adding the following information to its FAQs section on equifaxsecurity2017.com:
However, New York State Attorney General Eric Schneiderman still found the addition “unacceptable.”
Consumers can be excluded if they let Equifax know within 30 days in writing they would like to be excluded from the arbitration clause, but must first accept the agreement.
If you choose to enroll, you’ll be given an enrollment date. There’s quite a backlog of people enrolling, so you have to take it upon yourself to return to the site on your enrollment date. In short: You have to take your protection into your own hands. Equifax isn’t doing it for you.
Sign up for credit monitoring
Equifax is offering one year of free credit monitoring through TrustedID Premier to all U.S. consumers, regardless of whether they were affected by the data breach. There are five services under the program:
Get a free copy of your Equifax credit report.
Sign up for credit monitoring and automated alerts to be notified of key changes to your credit report on any of the major big three reporting agencies.
Put a freeze on your Equifax credit report.
Scan suspicious sites for use of your Social Security number.
Get up to $1 million of identity theft insurance to help you pay for any costs you may incur if someone commits identity fraud against you.
Even if you don’t want to enroll in Equifax’s service, you should enroll in a credit monitoring service, like free options offered through Credit Karma, Discover, Mint, Wells Fargo, and Capital One® — there are lots of ways to keep tabs on your credit.
Some identity theft protection services like the ones offered through myFICO, charge a monthly fee to monitor your credit year-round and provide identity theft insurance.
Regularly review your credit reports
You’re entitled to a free annual credit report from each of the major credit bureaus, which you can get through annualcreditreport.com. Carefully check your credit report for any accounts or recent activity you don’t recognize.
Make a plan to respond to identity theft
Detecting identity theft as soon as possible is crucial to minimizing the damage and stress it can cause — that’s where credit monitoring and reviewing your credit reports comes in. But the next step is just as important: Know what to do when it happens.
You can dispute errors on your credit report, file a police report documenting the identity theft, and do the legwork of resolving any problems it causes. You can also pay for identity theft insurance or identity theft resolution services (some employers offer this as a benefit, so check with your human resources department). Here’s a guide on identity theft resolution, so you know what to do in case you see anything suspicious. Even if you don’t see anything out of the ordinary, you should continue to remain vigilant in monitoring your credit activity.
Freeze your credit report
Velasquez says a credit security freeze is an option impacted consumers should look at. It prevents any application for new credit without first verifying your identity. If you want to apply for new credit, you’ll have to “thaw” your credit reports. The credit bureaus charge a fee, which varies by state, every time you freeze and thaw your credit report.
“While that does create some added inconvenience, the level of protection is worth it,” says Velasquez.
Be alert for unusual activity
Now is the time to practice what Velasquez calls good “identity hygiene.”
“Being vigilant about your identity is just a part of the world that we live in,” says Velasquez. “ If being involved in a data breach is the catalyst that brings that to the top of your mind, then we can see that as a positive.”
Velasquez recommends consumers act proactively and remain cognizant of anything that may involve using or verifying their identity. For example, if you receive a notice from a government agency about benefits or some weird explanation of benefits, pay attention to it.
Even after you do things like enroll in credit monitoring and freeze your credit, continue to do your best to watch out for signs of abuse. Don’t wait until you start receiving strange calls from government agencies and debt collectors.
When tax season rolls around, file your return as soon as possible. Identity thieves frequently use Social Security numbers to get fraudulent refunds, and if they file before you do, it will further complicate your tax-filing process.
At the least, go through your financial statements regularly (the more often, the better) to look for anything out of the ordinary. While protection is top of mind, sign up for any alerts you can set up on your mobile banking app to receive transaction notifications.