GCHQ: change your passwords now even if Uber says it contained the breach

Uber claims to have paid $100,000 to secure 57 million accounts exposed in a breach last year, but the UK's spy agency, GCHQ, suggests consumers don't place too much faith in Uber’s claim. 

The GCHQ's National Cyber Security Centre (NCSC) on Thursday published guidance for Uber users, reminding those affected by the firm’s just revealed 2016 breach they should take precautionary action even if their personal details may not have been compromised. 

The agency warned that Uber drivers and riders should “immediately change passwords” that were used for Uber. 

Bloomberg reported this week that Uber paid hackers that stole the information USD$100,000 to delete whatever they had and that its security team had verified the details were deleted. Whether the hackers did delete the information might not make a difference if the hackers themselves were compromised too.

Uber’s breach disclosure referred to names, email addresses and mobile phone numbers for accounts across the globe, but didn’t mention passwords. 

The ride-hailing firm didn’t break any laws by paying the attackers, but it did flout regulations in numerous jurisdictions by not disclosing the breach to relevant authorities.

Yet NCSC's advice today highlight that Uber’s decision to cover up the breach has an impact  just informing individuals whose personal and financial information may have been exposed.

GCHQ only established NCSC last year as the public facing unit of the intelligence agency. NCSC is tasked with engaging with the public and industry to protect Britain’s economy from cyber threats.

Uber now has reported the issue to regulators around the world, but the NCSC today said it still isn’t certain about the exact impact on UK citizens. Consequently, it’s advice to consumers and businesses is based an incomplete picture — a full year after the incident occurred.

NSCS said it can’t provide proper advice to the public until its work with the UK’s Information Commissioner's Office (ICO) is complete. 

“We are working with the ICO to verify the extent of this breach, including the type and volume of information compromised. Once we have a sufficient assessment of the incident we will publish the details of the impact on UK citizens,” NCSC said in a statement.  

Hence, the NSCS’s advice right now is to immediately change passwords used with Uber, even though Uber never said that passwords — hashed or otherwise — were exposed. It also advised users to change passwords on any other account where the same password was used. 

Given the lack of evidence that Uber’s hackers did delete the information after receiving Uber's alleged payment, NCSC has issued its usual advice when a breach occurs: be extra cautious of phishing email and watch out for scam phone calls.

Tags BloombergGCHQUberdata breach disclosure lawNCSC

Show Comments