Uber driver info stolen yet again: This time from law firm Uber has had more of its internal data stolen from a third party that suffered a security breach. This time, the personal info of the app's drivers was swiped by miscreants from the IT systems of law firm Genova Burns. In a letter [PDF] to affected drivers, the lawyers said they had looked into the intrusion, and had some bad …
From the letter to drivers, the firm said it got the data because it was representing Uber in some matters:
"In connection with this legal representation, we received data regarding certain drivers on the Uber platform, which included information about you."
We'll add that to the piece.
C.
Thanks - adds context.
It still leaves the issues of just how much they had - that weasel word "included" - and whether they needed it all. And whether the drivers knew it had been passed on. We're still not at the stage where data is regarded as toxic: you may need to have some but it's safest to hold as little as possible. And insufficiently guarded is doubly toxic.
I think social security numbers or the concept ought to be retired in light of modern day technology and the repeated demonstrated impossibility of securing them without destroying their utility.
By creating these hordes of information in the first place so do we ensure that they are abused.
TLDR: SSNs are only an identifier, not an authenticator and use without an authenticator is rampant. That is what needs fixed.
SSNs should not be retired. They can only be used as an identifier. As such, their security requirements would be at the same level as a name - minimal. A separate matter is when multiple identifiers for an individual are combined, the security requirements of the combined set should be additive at minimum. When multiple records are combined, security requirements multiply. Simple math really.
What is lacking in the use of SSNs is authentication. In cases of identity theft (fraud against creditors) the creditor accepts a set of information, performs minimal authentication if that is what you would call it. They do make sure the new account given SSN and name combination is assigned an interest rate or security deposit commensurate with the credit rating assigned the combination by the credit bureaus. They may not be bothered if the mailing or physical address given matches the record. They will make efforts to obtain an email address and mobile number for notifications, alerts, marketing, flogging the new dataset to the highest bidder.
Imagine setting up an online account where some form of credit is given. You provide info similar to above. Upon return to the account from an "unknown device" you are not asked for a password or a code sent via SMS or to insert a U2F key device. Upon submitting your username (SSN) you are presented with a Welcome, <FIRSTNAME> <LASTNAME> message, you have 1 million currency unit credits to spend. If this is not <FIRSTNAME> <LASTNAME>, then please log out. This is nearly the same level of authentication granted in instances of identity theft (fraud against creditors).
To top it off, the creditors are permitted to hold the individual authentically described by the SSN and name combination liable for whatever credit was granted and used without properly authenticating the initial individual presenting said information fraudulently. This is how fraud against creditors becomes identity theft. The identity theft victim is given the legal ability to jump through hoops bound with copious red tape to deny such liability. Seeing money to be made the Identity Theft and Credit Monitoring industry has arisen.
You have already been compromised in so many ways. There is presently a bill in congress that will make it a one million dollar fine for using a VPN. On top of that every government agency will have access to your computer without a warrant. they will also have access to your bank account as well.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
