Technology company Uber tells BR that at “this moment, we don’t have information to indicate whether Romanian users were impacted.”
The statement came amid revelations that hackers stole the data of 57 million users in 2016. The incident was uncovered by the media this November, with Uber’s CEO Dara Khosrowshahi later confirming the massive security leak.
“We are in the process of notifying various regulatory and government authorities and we expect to have ongoing discussions with them. Until we complete that process we aren’t in a position to get into any more details,” Uber representatives told BR.
According to the Wall Street Journal, Khosrowshahi knew about the leak in early September, but the customers were informed more than two months later. The American publication said that Uber paid the hackers that stole the data USD 100,000 to destroy them. According to people familiar with the matter quoted by WSJ, the hackers joined the “bug bounty” program of Uber and were paid in this way.
In Romania, the ride-hailing app is available in four cities and reached 250,000 users in 2016, according to Nicoleta Schroeder, the general manager of the local operations. The app first became available in Bucharest in February 2015.
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” said the company in a statement about the incident from 2016. The company said that about 600,000 US drivers’ license numbers were accessed in addition to the names, emails and phone numbers of the app’s users.
American authorities have started to investigate the impact of the breach, while data protection agencies in the UK the The Netherlands have started their own assessments. In Romania, the authorities did not make any public comment on this matter.
BR has asked the national cyber security and incident response team CERT-RO, coordinated by the Ministry of Communications and Informational Society, to comment on this incident.
CERT-RO didn’t receive any information regarding the incident that impacted Uber users up to now, said Mihai Rotariu, consultant in the IT security and monitorization services of the organization.
“Up until now we didn’t receive any information regarding a potential impact on the data of Romanian users,” Rotariu told BR. He went on to say that Uber is not obliged to report such incidents to CERT-RO.
“In fact, in order to make an investigation on such a case, the extraction of data should happen through a security incident, in which IT resources in our country would have been exploited,” explained Rotariu, adding that the data breach happened in the US, according to public information.
The CERT-RO representatives said that the National Authority for Surveillance of the Processing of Personal DATA (ANSPDCP) is the main institution handling data protection matters in Romania.
The ride-sharing market in Romania is not regulated in any way at this moment, but Uber said on numerous occasions that it was open to work with policymakers to work on a draft bill in this sector.