Uber Says Unauthorised Transactions In Singapore Not Linked To Global Breach

Uber believes its massive data breach, which has compromised 57 million global accounts, is not linked to a recent spate of unauthorised transactions reported by customers in Singapore.

Users of the ride-sharing app had discovered charges made to their accounts and credit cards for rides they never took. These included rides taken outside of Singapore, including the UK and US, and paid for in foreign currencies, according to a report by local broadcaster Channel NewsAsia.

One customer noted as many as 30 unauthorised transactions made over five days, in US dollars, while another reported at least 15 made to her debit card in UK pounds. Uber had said it would refund the transactions.

Asked if these were related to the global data breach exposed this week, an Uber spokesperson told ZDNet said there was no reason to believe the two were linked. She said the global incident, which originated in 2016, did not breach the company's corporate systems or infrastructure.

"And our [external] forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, NRIC, or dates of birth were downloaded," she added.

The US company this week was reported to have concealed a massive data breach for more than a year, even resorting to paying off hackers US$100,000 to delete the information and keep details of the breach quiet.

Originating in October 2016, the breach compromised 57 million Uber accounts worldwide, with hackers gaining access to names, email addresses, and phone numbers. Some 7 million drivers also were affected, including details of more than 600,000 driver licenses.

In his statement, Uber CEO Dara Khosrowshahi pointed to two individuals outside the company who had accessed data stored on a third-party cloud-based service it used. Its internal systems were not breached and forensics investigation did not reveal any breach on trip location history or social security numbers, Khosrowshahi said.

He added that the company gained assurance from the "individuals" responsible for the hack that all compromised data had been destroyed.

Chief security officer Joe Sullivan, identified as the executive who concealed the breach, has been fired, according to Bloomberg.

ZDNet asked if Uber's Singapore office had informed the country's Cyber Security Agency (CSA) of the breach, the spokesperson said: "We are in the process of notifying various regulatory and government authorities and expect to have ongoing discussions with them. Until we complete that process, we aren't in a position to get into any more details."

Under current Singapore laws, most companies were not required to report security breaches to the authorities. However, licensees under the Monetary Authority of Singapore were mandated to do so.

The mandatory reporting of breaches soon would be required under the country's upcoming cybersecurity bill, expected to be introduced next year. Under the proposed law, operators of local critical information infrastructures (CIIs) would need to take steps to safeguard their systems and swiftly report threats and incidents--expected to be within 72 hours.

The bill listed 11 "essential services" sectors considered to operate CIIs: water, healthcare, maritime, media, infocommunications, energy, banking and finance, security and emergency services, land transport, aviation, and the government.

While it remained uncertain if companies such as Uber would fall under the "transport" category, CSA said it would make it clear--when the bill was passed--whether an organisation was a "designated CII operator".

Incidentally, Uber in Singapore was looking to hire a "head of security" for its Asia-Pacific operations as well as a "security investigator".