Uber Data Breach Exposes Licenses and IRS Documents for Nearly a Thousand Drivers
Earlier today, Uber released a new “Uber Partner app, designed to give drivers more information so Uber works better for them.” It also inadvertently gave anyone access to an untold number of sensitive scanned documents for almost 1,000 of these same drivers.
It takes about 16 minutes for anyone in the world to create an Uber driver account—all you need to do is fill out a few forms (name, email, password, etc.) and watch a 15-minute welcome video. After that, you’re prompted to upload basic driver documentation like your license, registration, and insurance. But according to one driver who tipped me off, Uber chauffeurs who try to add or edit that very information today are instead warped to a screen that contains documents for complete strangers, a legion of Uber drivers around the United States.
Clear, high-resolution pictures of drivers licenses, W-9 tax forms, livery car company articles of incorporation, and other sensitive personal documents—many of which contain social security numbers—can be easily viewed and downloaded:
It appears at least 179 pages of documents for drivers from Washington to Virginia were inadvertently exposed, just months after Uber showed its privacy weakness by hosting a large database of user information on a public GitHub page.
A representative for Uber told Gawker “As soon as we were made aware of this we immediately fixed it.” The vulnerability existed up until roughly the time at which I asked Uber about it. No further details as to the extent or cause of the security hole were provided.
Contact the author at firstname.lastname@example.org.
Public PGP key
PGP fingerprint: E93A 40D1 FA38 4B2B 1477 C855 3DEA F030 F340 E2C7