Uber announced on Friday that unauthorized access was gained to one of its databases in May 2014, consequently putting names and driver's license numbers at risk for roughly 50,000 current and former drivers across multiple states.
That type of personal data can be used to obtain additional information on an individual, which can then be leveraged to commit identity theft, Steve Hultquist, chief evangelist at RedSeal, told SCMagazine.com in a Monday email correspondence.
“Names and driver's license numbers are two key elements of verification of personal identity,” Hultquist said. “Combined with other information that could be gained by social engineering or by existing breaches, theft of personal identities is possible.”
Andreas Baumhof, CTO of ThreatMetrix, told SCMagazine.com in a Monday email correspondence that personally identifiable information (PII) increases in worth when more pieces of data related to a single individual are obtained.
“[If] I know your name and your associated email and then the associated address and then the associated credit card number and now the license plate, the information gets more valuable,” Baumhof said.
He went on to explain, “One reason is the use of knowledge-based authentication is still quite heavy (even by banks) where they ask you some questions that only you should know (e.g. what's your license plate number?) to do a 2nd factor authentication.”
Although Uber is notifying all impacted drivers and is offering them a free year of identity theft protection services, the company said in a Friday statement that it has not received reports of actual misuse of any information as a result of the incident.
Uber stated that a single instance of unauthorized access to one of its databases occurred on May 13, 2014. The company explained that it discovered the potential access on Sept. 17, 2014, and immediately changed the access protocols for the database.
“Given the information that Uber has shared, it seems likely that the breach came from the unauthorized use of an existing database access account,” Hultquist said. “The other likely option is access via a database system vulnerability, but that doesn't seem indicated by the report.”
To prevent these types of incidents from occurring in the future, Baumhof said that a holistic approach needs to be considered. He explained that internal systems need to be restricted and secured, and access to data needs to be protected using context-based and behavioral approaches. Hultquist added that organizations should be using automation.
According to the statement, Uber has filed a “John Doe” lawsuit so it can “gather information that may lead to confirmation of the identity of the third party.” The Register reported on Saturday that Uber subpoenaed GitHub so the latter company would turn over the IP addresses of visitors to a particular gist, which is believed to have contained a login key used to access the Uber database.