Uber says data breach compromised 380K users in Singapore

Ride-sharing company reveals 380,000 in Singapore were affected by the massive data breach that compromised 57 million accounts globally, but says no fraud or misuse has been tied to these users.
Written by Eileen Yu, Senior Contributing Editor

Uber says an estimated 380,000 users in Singapore were impacted by the 2016 data breach that compromised 58 million accounts globally, but finds no incidents of fraud related to the attack.

The ride-sharing operator posted a statement on its website Friday with the update, noting that the figure was "an approximation rather than an accurate and definitive count". The number was determined from data extracted from its app or online site and based on codes assigned to specific countries, which might not always correspond with where the user actually lived, it explained.

Uber said it had taken "immediate steps to secure the data" when the breach was uncovered and blocked further unauthorised access. It added that affected customers need not take any action since there was no indication the breach had resulted in any fraudulent transactions.

"Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, or dates of birth were downloaded," it said. "We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection."

Reports emerged last month that some customers in Singapore found charges made to their Uber accounts and credit cards for rides they never took, including transactions made in the UK and US and in foreign currencies. The company said then that these were not linked to the global data breach, since details related to credit card numbers or bank account numbers were not believed to have been compromised in the attack.

Uber admitted to have concealed the data breach for more than a year, paying off hackers US$100,000 to delete the data and keep quiet about the incident.

In a note commenting on Uber's latest statement in Singapore, Sanjay Aurora, Asia-Pacific managing director for security vendor Darktrace, said the onus was on companies to safeguard their customers' data.

"The reality is that there is only so much individuals can do. Ultimately, the responsibility lies with the companies that are entrusted with users' sensitive data to defend it against cyberattacks," Aurora said.

"Time and time again, we have seen attacks of this scale--and larger--plague the news. The reality is that such breaches, whether Uber, Equifax, or Yahoo, could have been resolved at an early stage [and] well before real damage was done," he said, touting the need for artificial intelligence in helping companies identify and combat security threats.

Singapore authorities had said they were investigating Uber's security incident and would determine if the US company had breached local data protection laws. They also underscored the need for Uber to be transparent and to cooperate with local authorities.

Editorial standards