This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Uber

Summary

In October-November 2016, attackers discovered AWS credentials in Uber's public GitHub repository and used them to access unencrypted backup files stored on Amazon S3, compromising data on 1.2 million Australian riders and 57 million users globally. Uber concealed the breach for over a year, paying the attackers US$100,000 through its bug bounty program to delete the data and remain silent. The breach was not disclosed until November 2017, following the appointment of a new CEO.

What Happened

Attackers systematically searched Uber's public GitHub repositories for credentials and discovered AWS access keys that had been inadvertently committed to the code repository. Using these credentials, they accessed Uber's Amazon S3 cloud storage and downloaded backup files containing personal information on riders and drivers. The files were unencrypted and contained names, email addresses, and mobile phone numbers.

Rather than disclose the breach, Uber's security team engaged with the attackers through the company's bug bounty program, paying them US$100,000 and requiring them to sign non-disclosure agreements. The breach remained concealed until November 2017, when new CEO Dara Khosrowshahi disclosed it publicly.

Impact on Individuals

The breach exposed names, email addresses, and mobile phone numbers of approximately 1.2 million Australian Uber riders. This information could be used for phishing attacks, spam, identity theft, or social engineering. Affected individuals were not notified at the time of the breach and remained unaware their data had been compromised for over a year.

The OAIC noted in its investigation that "the failure to notify affected individuals in a timely manner deprived them of the opportunity to take steps to protect themselves from potential harms arising from the breach."

Organizational Response

Uber publicly disclosed the breach in November 2017, over a year after it occurred. The company's Chief Security Officer and one of his deputies were terminated for their roles in concealing the breach. Uber implemented new data security measures and updated its incident response procedures.

Following the disclosure, Uber cooperated with regulators worldwide, including the Australian Information Commissioner. The company agreed to implement a comprehensive set of privacy and security reforms.

OAIC Investigation (2017-2021)

The Office of the Australian Information Commissioner conducted a Commissioner-initiated investigation into the breach, concluding in 2021. The investigation found that Uber had interfered with the privacy of Australians by:

  • Failing to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure (APP 11.1)
  • Not taking reasonable steps to notify affected individuals of the breach in a timely manner

The OAIC ordered Uber to:

  • Implement and maintain a data retention and destruction policy
  • Implement and maintain an information security program
  • Establish and maintain an incident response plan
  • Appoint a dedicated privacy officer in Australia

The Commissioner did not impose financial penalties, noting that Uber had already implemented significant privacy and security reforms following the breach.

Verification Source: View original statement