Uber gave sensitive driver data to a law firm for legal actions, but the law firm leaked all the data

An unknown number of Uber drivers have been informed by a legal firm that represents Uber Technologies that sensitive data, including their identities and Social Security numbers, has been taken by cyberattackers. This data includes the drivers’ names.

The world’s largest ride-sharing company has suffered its third data hack in the last half a year.

According to a letter that was posted online on April 4, the Newark, New Jersey-based law firm Genova Burns LLC was the first to notice suspicious activity at the end of January. Following an investigation by outside specialists, the firm discovered that its systems had been compromised and that data on an unknown number of Uber drivers had been stolen. According to what was indicated in the letter, Uber provided the law firm with the material in conjunction with its legal representation.

Genova Burns did not react to any of the several requests for comment and did not provide an explanation as to why the law firm required personally identifiable information (PII) from drivers.

In the letter that was given out to Uber drivers, the law firm claimed the following: “Upon learning of the situation, we investigated to ascertain the extent and breadth of the breach, and we safeguarded the environment by resetting all system passwords.” “We have also informed law enforcement of the situation, and we are helping them with their investigation. We have decided to take certain further precautions in order to strengthen our security measures and make ourselves more resistant to situations of a similar kind in the future.”

Hackers have often attempted to penetrate Uber’s systems. The provider of ride-sharing services had previously suffered a data breach in May 2014, during which hackers gained access to the private information of 50,000 drivers and their license plates. This was followed by a more serious breach in October 2016, during which hackers obtained access to the private information of 57 million Uber users. Two more attempts, one of which was carried out via a third-party cloud provider, were successful in 2022 in stealing important data; one of these attacks led to the resignation of the company’s CISO.

In the most recent attack, Uber admitted to the data leak but sent all queries on the matter to its legal firm.

According to a statement released by Uber, the affected drivers “have been advised that their Social Security number and/or tax identification number have been potentially compromised and [were] provided free credit monitoring and identity protection services.” “Genova Burns has indicated that they are not aware of any actual or attempted exploitation of the information, and they have stated that they are taking extra actions to increase security and better defend against occurrences similar to those that may occur in the future.”

The law firm discovered the attack for the first time on January 31, and after the attack was investigated by an unnamed third-party forensics and data-security specialist, the law firm found out that its data had been accessed and exfiltrated during the previous week, prior to the week in which the attack was discovered.

Genova Burns said in a letter that was made public that on March 1, 2023, her team “found that information connected to you [the Uber drivers] was included in an affected file, and after making this determination, we alerted Uber.” “At this point, we do not know of any real or attempted abuse of your information as a consequence of this event,” the spokesperson said. “We apologize for any inconvenience.”