Uber cannot confirm whether Australians have been affected by a global data breach that could lead to identity theft and sophisticated phishing scams.
The ridesharing company has admitted to a year-long cover-up after the information of 57 million users was downloaded by hackers in October 2016.
Uber paid off the fraudsters to the tune of $US100,000 ($132,000) to keep quiet and delete the data.
Customers had their names, phone numbers and email addresses stolen. Even more worryingly, the licence numbers of about 600,000 US-drivers were also compromised, Bloomberg reported.
Uber could not say whether Australian users were among those affected.
“We are in the process of notifying various regulatory and government authorities and we expect to have ongoing discussions with them,” the spokesperson told The New Daily.
“Until we complete that process we aren’t in a position to get into any more details.”
The stolen data did not include trip-location history, credit card details, bank account numbers or birthdays, Uber said.
But experts were cynical about Uber’s response, which left “a lot of unknown”.
“They say that nothing else has been stolen, but you just don’t know as well,” Sean Maynard, from the Melbourne University Department of Computing Information Systems, told The New Daily.
“They don’t say a lot of things. So, trying to work out what’s been taken and how it affects us is unknown.
“And they say they’ve paid $US100,000 to the hackers to delete it [the data], but you don’t know if it’s been deleted or not.”
David Lacey, founder of IDCARE and professor of cybersecurity at Sunshine Coast University, said the biggest risk for Uber customers would be phishing attempts and scam phone calls.
“That’s probably the risk that most of us will confront … If it’s a driver’s licence then you’d really need to look into credit reports and see what’s going on there, because there’s a credit risk to you,” Dr Lacey said.
He said the breach would be “high risk” for the 600,000 drivers whose licence numbers were stolen.
“From IDCARE’s perspective, the number one credential or value to criminals is the driver licence number.”
Uber said it was notifying the drivers whose licence numbers were downloaded and providing them with free credit-monitoring and identity-theft protection.
Going forward, Uber users should check their emails with vigilance. Dr Lacey said hackers could use the compromised data to target phishing attempts and personalising scam emails.
“If you’re concerned that you’re one of these customers – and I might be one of them – and it’s my email address and phone number that’s at risk with my name, then I’d certainly be a lot more vigilant about these types of emails or phone calls I’m receiving,” Dr Lacey said.
“Ask people if you’re not sure whether something’s genuine.”
Dr Maynard also recommended people check the domain name of email addresses that hit your inbox and all hyperlinks for errors or inconsistencies.
Dara Khosrowshahi, who was named CEO in August following the departure of Uber founder Travis Kalanick, said he had only recently learned of the matter himself.
“None of this should have happened, and I will not make excuses for it,” Mr Khosrowshahi said in a blog post.
Following a company investigation, two employees who handled the response have since left Uber.
Bloomberg reported that chief security officer Joe Sullivan and a deputy were ousted this week because of their role in the handling of the incident.
According to the company’s account, two individuals downloaded data from a web-based server at another company that provided Uber with cloud-computing services.