P2018-ND-030

Uber B.V.

On November 14, 2016, ?Uber was contacted by an individual who claimed he had accessed Uber user information.? The DPA report stated that ?Uber investigated and determined that the individual and the other person working with him had obtained access to a private Uber developer page?. Using credentials located there, the unauthorized actor was able to access and download certain archived driver and rider data stored in a cloud-based server. The incident did not breach any corporate systems or infrastructure.? The DPA report stated that ?To the best of Uber?s knowledge, the unauthorized actor?s access to this data began in October 13, 2016, and there was no further access by the actor to Uber?s data after November 15, 2016.? The Organization said that ?Uber?s security team took immediate steps to respond to and limit the impact of the incident, including engaging in immediate and then ongoing communications with the original unauthorized actor and the second individual subsequently identified to have been working with him. Uber also determined the means of access, shut down the credential that had been used to gain entry?and took steps intended to confirm that the actors had destroyed and would not use or further disseminate the information?. identified the third parties, and met with them in person.? The Organization said ?Uber?s security team paid the outside actors to destroy the data, as demanded? and obtained assurances from the individuals that they had destroyed and would not use or further disseminate the downloaded information, and to the best of Uber?s knowledge, such materials were destroyed.?

File Type: pdf
Categories: 2018
Tags: Loss