380,000 Uber users hit in Singapore's largest data breach

Authorities probing if company broke any laws; Uber says no sign of fraud tied to 2016 hacking

The Singapore authorities said they are investigating the incident, including if Uber had breached any laws.


Personal information of 380,000 people here, including names, e-mail addresses and mobile phone numbers, were exposed when Uber was hacked last year, the ride-sharing company disclosed yesterday - owning up to what is Singapore's largest data breach to date.

Weeks after Uber came under fire for trying to conceal the hack that involved 57 million Uber riders and drivers worldwide, the true extent of the problem here is only starting to become clear.

The Singapore authorities said they are investigating the incident, including if the company had breached any laws.

Said privacy watchdog, the Personal Data Protection Commission (PDPC): "Uber's breach has affected a significant number of users in Singapore. The PDPC takes a serious view of data breaches and is investigating whether Uber has breached the data protection provisions of the Personal Data Protection Act (PDPA)."

The Land Transport Authority (LTA) said it "expects Uber to be fully transparent and cooperate with local regulators ".

"Uber, as a transport service provider, should be held to high standards of public accountability in both ensuring commuter safety as well as complying with the PDPA, " said an LTA spokesman.

While Uber has not disclosed the total number of riders and drivers here, Uber Singapore's general manager Warren Tseng told The Straits Times in May that "over a million" people here actively use the app.

It emerged last month that the company paid US$100,000 (S$135,000) to the hacker responsible for the breach in October last year to destroy the information in an effort to cover up the leak.

According to external forensics experts hired by Uber, information such as trip location history, credit card numbers, bank account numbers, or dates of birth were not exposed.

Yesterday, in a statement uploaded on Uber's help page, the company also said individual riders do not need to take action as the company has not seen evidence of fraud or misuse tied to the incident. But it did encourage users to report anything unusual related to their accounts.

The company had earlier dismissed any link between the hacking and reports of users here getting billed for rides they did not take.

In one instance, Uber rider Jenna Lim claimed that $1,300 worth of Uber rides she did not take were billed to her over a period of five days last month. Uber said last month it had "no reason to believe" the two events are related.

This is the largest reported data breach of local information to date. In September 2014, the names, contact numbers and residential addresses of 317,000 customers were leaked by karaoke chain K Box Entertainment Group due to lax security measures.

Cyber security experts warned that a data breach could still be harmful even if it did not expose financial information.

Said Mr Sumit Bansal, the managing director of Asean and Korea at network security firm Sophos: "By having these personal details, hackers can potentially guess your password and obtain clues about how you create passwords."

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on December 16, 2017, with the headline 380,000 Uber users hit in Singapore's largest data breach. Subscribe