Uber says unauthorised transactions in Singapore not linked to global breach

Uber has dismissed suggestions that a spate of unauthorised transactions reported by customers in Singapore is related to its global data breach, which does not involve financial information.
Written by Eileen Yu, Senior Contributing Editor

Uber believes its massive data breach, which has compromised 57 million global accounts, is not linked to a recent spate of unauthorised transactions reported by customers in Singapore.

Users of the ride-sharing app had discovered charges made to their accounts and credit cards for rides they never took. These included rides taken outside of Singapore, including the UK and US, and paid for in foreign currencies, according to a report by local broadcaster Channel NewsAsia.

One customer noted as many as 30 unauthorised transactions made over five days, in US dollars, while another reported at least 15 made to her debit card in UK pounds. Uber had said it would refund the transactions.

Asked if these were related to the global data breach exposed this week, an Uber spokesperson told ZDNet said there was no reason to believe the two were linked. She said the global incident, which originated in 2016, did not breach the company's corporate systems or infrastructure.

"And our [external] forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, NRIC, or dates of birth were downloaded," she added.

The US company this week was reported to have concealed a massive data breach for more than a year, even resorting to paying off hackers US$100,000 to delete the information and keep details of the breach quiet.

Originating in October 2016, the breach compromised 57 million Uber accounts worldwide, with hackers gaining access to names, email addresses, and phone numbers. Some 7 million drivers also were affected, including details of more than 600,000 driver licenses.

In his statement, Uber CEO Dara Khosrowshahi pointed to two individuals outside the company who had accessed data stored on a third-party cloud-based service it used. Its internal systems were not breached and forensics investigation did not reveal any breach on trip location history or social security numbers, Khosrowshahi said.

He added that the company gained assurance from the "individuals" responsible for the hack that all compromised data had been destroyed.

Chief security officer Joe Sullivan, identified as the executive who concealed the breach, has been fired, according to Bloomberg.

ZDNet asked if Uber's Singapore office had informed the country's Cyber Security Agency (CSA) of the breach, the spokesperson said: "We are in the process of notifying various regulatory and government authorities and expect to have ongoing discussions with them. Until we complete that process, we aren't in a position to get into any more details."

Under current Singapore laws, most companies were not required to report security breaches to the authorities. However, licensees under the Monetary Authority of Singapore were mandated to do so.

The mandatory reporting of breaches soon would be required for selected organisations under the country's upcoming cybersecurity bill, expected to be introduced next year. Under the proposed law, operators of local critical information infrastructures (CIIs) would need to take steps to safeguard their systems and swiftly report threats and incidents--expected to be within 72 hours.

The bill listed 11 "essential services" sectors considered to operate CIIs: water, healthcare, maritime, media, infocommunications, energy, banking and finance, security and emergency services, land transport, aviation, and the government.

Asked if Uber might fall under the transport category, CSA told ZDNet that CIIs were deemed to be systems that provided essential services and, if comprised, would lead to serious impact on Singapore. As such, these would not apply to Uber, it said.

The ride-sharing provider, however, might have violated the country's Personal Data Protection Act (PDPA), which outlined the need for organisations to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks".

Several organisations in April 2016, including local IT retail chain Challenger Technologies and Chinese handset maker Xiaomi, were fined and issued warning for breaching the PDPA and failing to implement adequate security measures to safeguard customer data.

K Box Entertainment Group was fined S$50,000 for its failure to put in place adequate data protection policies and security safeguards as well as not having a data protection officer. The local karaoke chain has a membership of 317,000. Its IT vendor, Finantech Holdings, which was responsible for managing its content management system, also was fined S$10,000.

Personal Data Protection Commission, which was responsible for the PDPA, said it was aware of Uber's data breach and had contacted the company for more details.

Incidentally, Uber's Singapore office was looking to hire a "head of security" for its Asia-Pacific operations as well as a "security investigator".

Editorial standards