Uber's 2016 data breach affected 380,000 in Singapore, biggest reported breach here

The data breach incident, which occured in October 2016, saw hackers stealing the personal data of about 57 million Uber riders and drivers globally. PHOTO: REUTERS

SINGAPORE - Personal information of 380,000 riders and drivers of ride-sharing app Uber in Singapore - including names, e-mail addresses, and mobile phone numbers - was exposed in the app's data breach in 2016, making it the largest reported breach here to date.

Singapore's privacy watchdog, the Personal Data Protection Commission (PDPC), said it is investigating if the company had breached any laws.

"Uber's breach has affected a significant number of users in Singapore. The PDPC takes a serious view of data breaches and is investigating whether Uber has breached the data protection provisions of the PDPA (Personal Data Protection Act)," said a PDPC spokesman.

"We expect Uber's full cooperation in the course of the investigation."

The Land Transport Authority (LTA) similarly said in a statement that it "expects Uber to be fully transparent and cooperate with local regulators to disclose the extent of those (drivers and customers) that have been affected in Singapore".

"Uber, as a transport service provider, should be held to high standards of public accountability in both ensuring commuter safety as well as complying with the Personal Data Protection Act in relation to the personal data of commuters or drivers that they have collected," said an LTA spokesman.

In a statement uploaded on Uber's help page, the company said individual riders do not need to take action as the company has not seen evidence of fraud or misuse tied to the incident.

While Uber has not disclosed the total number of riders and drivers here, Uber Singapore's general manager Warren Tseng told The Straits Times in May that "over a million" people here actively use the app .

The data breach incident, which occurred in October 2016, saw hackers stealing the personal data of about 57 million riders and drivers globally. Uber disclosed the hack only a year later, on Nov 21, 2017.

The company paid US$100,000 (S$135,000) to the hacker responsible, which Reuters identified as a 20-year-old Florida man, to destroy the information.

Information such as trip location history, credit card numbers, bank account numbers, or dates of birth were not exposed, according to Uber's external forensics experts.

But several users have complained about being charged in November for phantom rides they did not take. In one instance, Uber rider Jenna Lim claimed that $1,300 worth of Uber rides she did not take were billed to her in a period of five days in November.

Uber said it had "no reason to believe" the two events are related as its corporate systems or infrastructure had not been breached.

This is the largest reported data breach of local information to date. In September 2014, the names, contact numbers and residential addresses of 317,000 customers were leaked by karaoke chain K Box Entertainment Group due to lax security measures.

K Box was fined $50,000 for flouting the Personal Data Protection Act.

Even though Uber claims the leaked data has been deleted, cyber-security experts say there might still be risks to users.

"Dealing with criminals means that there is no guarantee that sensitive information will be destroyed, even if money is paid out," said Mr Sanjay Aurora, British cyber-security services firm Darktrace's Asia-Pacific managing director.

And they warn that personal details can be exploited in several ways.

"Exposed user information acts as an entry point for cybercrime," said Mr Bill Taylor-Mountford, LogRhythm's vice-president for Asia-Pacific and Japan. "Spambots, for example, make use of these exposed credentials to send off phishing e-mails. "

The leaked information, such as names and e-mail addresses, could provide hackers with data on how to guess passwords, said Mr Sumit Bansal, the managing director of Asean and Korea at network security firm Sophos.

"Many times, personal passwords are derived from personal information such as names, birth dates and phone numbers.By having these personal details, hackers can potentially guess your password and obtain clues about how you create passwords," he said, advising users to change their passwords whenever such breaches occur.

Correction note: This version corrects the spelling of Asean. We are sorry for the error.

Join ST's Telegram channel and get the latest breaking news delivered to you.