Uber Fixes Bug Which Exposed Hundreds of Drivers’ Details

Uber claims to have fixed a software flaw which exposed the personal details of hundreds of its drivers in the US to each other.

Drivers took to Reddit on Tuesday to complain about the blunder, which allowed them to view details including driving license, registration, Social Security numbers, tax forms and more.

One told Motherboard he found the issue when uploading a document to the site. After refreshing the page it apparently began to populate with the docs of other drivers.

“When I looked closer, it might have been the database of Uber drivers that are taxicab drivers that have access to Uber,” he added. “There were a lot of taxi certification forms and livery drivers' licenses and W-9 forms with Social Security numbers for taxi cab companies.”

Uber claimed that the issue affected 674 drivers in the US and exposed fewer than 1,000 documents. The bug apparently allowed logged-in drivers who visited the documents page to view the details.

An Uber statement had the following:

“We were notified about a bug impacting a fraction of our US drivers earlier this afternoon. Within 30 minutes our security team had fixed the issue.

We’d like to thank the driver who drew it to our attention and apologise to those drivers whose information may have been affected.

Their security is incredibly important to Uber and we will follow up with them directly.”

There’s a suspicion the incident may be linked to the development of Uber’s new partner app, which has been built to allow drivers to view and manage their accounts with more granularity.

Even though Uber claims to have fixed the issue within 30 minutes, there’s a risk that the exposed personal details could be used by unscrupulous drivers to commit identity fraud.

Uber account details are an increasingly common sight on underground hacker forums, experts say.

Kevin Cunningham, president of SailPoint, argued that staff and management have to work together to minimize the risk of a damaging data breach.

“Being exposed as unprepared or ill-equipped to minimize the damage associated with a breach is a big fear for many organisations,” he added.

“Today, companies across every industry house increasing amounts of sensitive data. So, everyone from the executive level down needs to ensure there is a collaborative effort from internal staff to protect that sensitive information and ultimately, the health and longevity of the company."

What’s Hot on Infosecurity Magazine?