Uber has released information about a hack that took place last year that resulted in the unauthorized access of 50,000 drivers' names and license plate numbers.
The company said it discovered the hack in September 2014, and that the hack took place in ancient history. Ok not quite, it took place on May 13, 2014.
"In late 2014, we identified a one-time access of an Uber database by an unauthorized third party. A small percentage of current and former Uber driver partner names and driver's license numbers were contained in the database," said the company in a blog post. "Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access."
The incident is interesting because of how long the company took to notify the public, especially considering the fact it affects quite a few people. It is also interesting it took four months to discover the hack. The fact it took so long may suggest Uber was not properly monitoring its systems or using appropriate security tools.
"I usually expect it's no more than 60 days before you start notifying people," said Brian Finch, a cybersecurity and data-breach expert from Pollsbury Winthrop Shaw Pittman law firm. "Unless they were cooperating with law enforcement, which is a possibility, it would seem to be an unusual delay."
It is not unusual for a company to wait to disclose a hack if it is conducting an investigation, however even if the company was conducting an investigation it seems unusual for that effort to take five months.
In California, which is where Uber is located, it is required by law for companies who have consumer names and other pieces of information, including drivers license numbers, involved in a hack to notify those affected "in the most expedient time possible and without unreasonable delay." While this is a rather vague law, it would be hard to argue that five months is the "most expedient time possible."
In Wisconsin, it is required for companies to notify those affected within 45 days. In Florida it's only 30.
The company has also filed a so-called "John Doe" lawsuit to provide it with a legal vehicle to gather information about the hack, hopefully leading to the identity of the thief.