back to article Uber driver info stolen yet again: This time from law firm

Uber has had more of its internal data stolen from a third party that suffered a security breach. This time, the personal info of the app's drivers was swiped by miscreants from the IT systems of law firm Genova Burns. In a letter [PDF] to affected drivers, the lawyers said they had looked into the intrusion, and had some bad …

  1. VoiceOfTruth

    I wonder

    Can Genova Burns sue itself for failing to properly protect this data?

    1. cookieMonster Silver badge

      Re: I wonder

      I’m sure someone in there is looking to see if it’s possible to make $ from it

  2. IGotOut Silver badge

    Did they raid a filling cabinet...

    ...and steal all the fax print offs?

    What they have email now? Wow

    1. TheMaskedMan Silver badge

      Re: Did they raid a filling cabinet...

      "What they have email now? Wow"

      Unfortunately, yes. Now they just have to learn to use it.

      Gone are the days of suave spies photographing confidential documents with the miniature camera hidden in their bowtie.

  3. Doctor Syntax Silver badge

    Why did they have this data in the first place?

    1. diodesign (Written by Reg staff) Silver badge

      Legal stuff

      From the letter to drivers, the firm said it got the data because it was representing Uber in some matters:

      "In connection with this legal representation, we received data regarding certain drivers on the Uber platform, which included information about you."

      We'll add that to the piece.

      C.

      1. Doctor Syntax Silver badge

        Re: Legal stuff

        Thanks - adds context.

        It still leaves the issues of just how much they had - that weasel word "included" - and whether they needed it all. And whether the drivers knew it had been passed on. We're still not at the stage where data is regarded as toxic: you may need to have some but it's safest to hold as little as possible. And insufficiently guarded is doubly toxic.

        1. Anonymous Coward
          Anonymous Coward

          Re: Legal stuff

          If Uber are constructing some sort of legal case against “certain drivers”, they won’t need to inform them when their data is shared with a law firm.

          1. yoganmahew

            Re: Legal stuff

            Yeah, it sounded like union busting activities to me.

  4. ChoHag Silver badge
    Windows

    > described the company's security as "awful."

    "Normal", kid. The word you're looking for here is "normal".

  5. anothercynic Silver badge

    I hope they get sued...

    ... That's just irresponsible.

  6. Ideasource Bronze badge

    I think social security numbers or the concept ought to be retired in light of modern day technology and the repeated demonstrated impossibility of securing them without destroying their utility.

    By creating these hordes of information in the first place so do we ensure that they are abused.

    1. hayzoos

      social security numbers

      TLDR: SSNs are only an identifier, not an authenticator and use without an authenticator is rampant. That is what needs fixed.

      SSNs should not be retired. They can only be used as an identifier. As such, their security requirements would be at the same level as a name - minimal. A separate matter is when multiple identifiers for an individual are combined, the security requirements of the combined set should be additive at minimum. When multiple records are combined, security requirements multiply. Simple math really.

      What is lacking in the use of SSNs is authentication. In cases of identity theft (fraud against creditors) the creditor accepts a set of information, performs minimal authentication if that is what you would call it. They do make sure the new account given SSN and name combination is assigned an interest rate or security deposit commensurate with the credit rating assigned the combination by the credit bureaus. They may not be bothered if the mailing or physical address given matches the record. They will make efforts to obtain an email address and mobile number for notifications, alerts, marketing, flogging the new dataset to the highest bidder.

      Imagine setting up an online account where some form of credit is given. You provide info similar to above. Upon return to the account from an "unknown device" you are not asked for a password or a code sent via SMS or to insert a U2F key device. Upon submitting your username (SSN) you are presented with a Welcome, <FIRSTNAME> <LASTNAME> message, you have 1 million currency unit credits to spend. If this is not <FIRSTNAME> <LASTNAME>, then please log out. This is nearly the same level of authentication granted in instances of identity theft (fraud against creditors).

      To top it off, the creditors are permitted to hold the individual authentically described by the SSN and name combination liable for whatever credit was granted and used without properly authenticating the initial individual presenting said information fraudulently. This is how fraud against creditors becomes identity theft. The identity theft victim is given the legal ability to jump through hoops bound with copious red tape to deny such liability. Seeing money to be made the Identity Theft and Credit Monitoring industry has arisen.

  7. OldCrow 1975

    Trust no one.

    You have already been compromised in so many ways. There is presently a bill in congress that will make it a one million dollar fine for using a VPN. On top of that every government agency will have access to your computer without a warrant. they will also have access to your bank account as well.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like