Who is this guidance for?
This guidance is aimed at all UK Uber customers and drivers. While your details may not have been compromised, it is prudent to take precautionary action.
A breach of Uber customers’ and drivers’ records from October 2016 was reported to the NCSC on Tuesday 21 November 2017. Based on current information, we have not seen evidence that financial details have been compromised. We are working with the ICO to verify the extent of this breach, including the type and volume of information compromised. Once we have a sufficient assessment of the incident we will publish the details of the impact on UK citizens. This page will be updated with advice for customers and drivers as more information comes to light about the Uber data breach.
What should I do?
Our main advice to Uber account holders and drivers is to be vigilant and follow the NCSC advice set out below.
What do I do if I think my details have been used for fraudulent purposes?
Based on current information, we have not seen evidence that financial details have been compromised. However, if you think you have been a victim of online crime, you can report a cyber incident using Action Fraud’s online fraud reporting tool any time of the day or night, or call 0300 123 2040. For further information visit www.actionfraud.police.uk.
Could my data be used for phishing attacks?
Uber account holders should be vigilant against phishing attacks. This could be a suspicious phone call or targeted emails. Information about how you can help protect yourself against phishing can be found here. Uber’s data does include information on telephone numbers and names of customers. Usually, if you are the target of a phishing message, your real name will not be used. However, in this case, people will need to be alert to any message that purports to be from an organisation they deal with.
If you are an Uber customer or driver we recommend that you follow our easy-to-understand advice:
1. Do not feel obliged to delete the app
We don’t have a recommendation to keep or delete the Uber app. The incident took place over a year ago and we have seen no evidence of additional risk having the app on your phone today. However, if you do want to delete your Uber account, deleting the app isn’t enough to remove your data from their systems. To remove your data from their systems you also need to delete your account by following the advice found here.
2. Immediately change passwords you used with Uber
Legitimate users can make a compromised password useless by replacing it with a new one the attacker does not know. If you re-used the same password on other accounts, you should change the password on those too. More advice on password protection can be found here.
3. Be alert to potential phishing emails
Phishing attacks can come through emails sent by strangers that mimic an established or trusted party to lure compromising information from the recipient. Since Uber’s data includes personal information, such as customers’ phone numbers and driving licence information, these could be used by scammers to make phishing emails more convincing. Guidance on preventative measures against phishing emails can be found here.
4. Be vigilant to potential scam phone calls
We also recommend being especially vigilant against phone calls you receive. If you do receive a phone call that is suspicious - for example, one that asks you for security information - do not divulge any information and hang up. When you next pick up the phone, make sure there is a dial tone to ensure the caller is not still on the line. Immediately contact the organisation that the caller claimed to be from using a phone number gained from their company website. Do not use any details provided during the previous call – these could be bogus.
5. Contact Action Fraud if you think you have been a victim
If you think you have been a victim of cyber crime or cyber enabled fraud, you should contact Action Fraud for help. Their online fraud reporting tool can be used any time of the day or night, or call 0300 123 2040. For further information visit www.actionfraud.police.uk
The NCSC provides expert, trusted, and independent guidance for UK industry, government departments, the critical national infrastructure and private SMEs. All our guidance is advisory in nature and is underpinned by our unique insights into cyber threats.