Uber has just disclosed that it was the victim of a data breach in which they say “some personal information” including names, email addresses and mobile phone numbers of 57 million Uber users and employees was stolen.  Uber has indicated that it paid a $100,000 ransom to the cybercriminals to delete the information.
There are a number of major problems unique to this data breach, most prominently that the data breach occurred in 2016 and Uber did not publicly disclose that it had occurred until now.  This is a violation of federal and state laws and regulations.  Also, there is no reason to believe that the hackers indeed have complied with deleting the information following the ransom payment.  Finally, we cannot be sure as to the true extent of the loss of personal information of Uber customers and employees.
Already a legal action seeking class action status has been filed and the NY Attorney General has launched an investigation.  I will keep you informed as to new developments in both of these matters.
If you were a Uber user or employee in October of 2016, which is when the ransom was paid, you are in jeopardy of identity theft.  Additionally, we do not know precisely how much earlier the data breach actually occurred.  If indeed the information lost was limited to your name, email address and mobile phone number, the biggest threat to you will be from spear phishing emails and text messages that may appear quite legitimate because the come addressed to you by name and may appear to relate to a legitimate purpose.  Clicking on links contained in these emails and text messages puts you at risk of downloading malware that can lead to identity theft or ransomware malware.  As always, the best course of action is to never click on any link, regardless of how legitimate it may appear until you have confirmed that it is legitimate.