Uber has accidentally leaked the personal details of hundreds of its drivers through a newly launched app.
The controversial company released a new "Uber Partner app" yesterday, which it claimed is "designed to give drivers more information so Uber works better for them".
However, as first reported by Gawker, a design flaw also gave drivers more information about each other by allowing anyone access to nearly 1,000 sensitive scanned documents, including social security numbers, tax forms, insurance documents, driving licenses and taxi certification forms.
The bug apparently appeared when an Uber driver tried to upload or edit such documents, with Gawker writing that they were "warped to a screen that contains documents for complete strangers, a legion of Uber drivers around the United States".
Speaking to Motherboard, an unnamed Uber driver said: "It (the app) started loading hundreds, maybe thousands of other uploaded documents from other Uber drivers. When I looked closer, it might have been the database of Uber drivers that are taxicab drivers that have access to Uber. There were a lot of taxi certification forms and livery drivers licenses."
Uber has responded to the incident, telling IT Pro: "We were notified about a bug impacting a fraction of our US drivers earlier this afternoon. Within 30 minutes our security team had fixed the issue.
"We'd like to thank the driver who drew it to our attention and apologise to those drivers whose information may have been affected. Their security is incredibly important to Uber and we will follow up with them directly."
The organisation also claimed that no more than 674 drivers in the US were affected.
However, this isn't the first time Uber has suffered a serious security breach exposing the details of its drivers.
In May 2014, a hacker stole the company's database containing the details of thousands of drivers, which were then posted to GitHub - and Uber didn't notice until September.
Even then, it did not notify registered drivers that their details were at risk until it had filed a lawsuit against GitHub demanding the IP addresses or subscriber details of anyone "that viewed, accessed, or modified these posts and the date/time of accessing, viewing, or modification".
-
Uber hit with €290m fine for storing European driver data in the USNews The fine marks the latest imposed on Uber by the Dutch data protection authority
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
Uber says compromised third-party to blame for data breachNews Vulnerable third-party vendor Teqtivity sparks second major incident for Uber in the space of three months
-
Uber launches infosec hiring spree after attributing breach to LAPSUS$News The company also hinted at the belief that LAPSUS$ was also behind the attack on Rockstar Games over the weekend in a revealing update detailing the inner workings of the attack
-
Uber hacked via basic smishing attackNews The self-taught hacker impersonated an IT worker to gain an Uber employee's password, obtaining broad access to internal systems and posting taunting messages
-
Former Uber security chief to face fraud charges over hack coverup
News This is thought to be the first instance of a corporate information security officer criminally charged with concealing a hack
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
