I first reported to you about a massive data breach at Uber in a Scam of the day in November of 2017. Unfortunately, the data breach had actually occurred in 2016 and Uber did not disclose that it had suffered the data breach until 2017. Personal information including names, email addresses and mobile phone numbers of 20 million Uber users and employees was stolen.

There were a number of major concerns unique to this data breach, most prominently that the data breach occurred in 2016 and Uber did not publicly disclose that it had occurred until late in 2017.  This was a violation of federal and state laws and regulations.  In 2018 Uber agreed to pay 148 million dollars to the Attorneys General of all of the 50 states and the District of Columbia to settle charges brought against it for its failure to exercise proper security and its failure to promptly report the data breach as required by law. Also, under the terms of the settlement, Uber is required to comply with all state laws pertaining to protecting personal information and to immediately notify the appropriate authorities in the event of another data breach. Uber also agreed under the terms of the settlement to establish new stronger security protocols.

Now Uber has settled criminal charges with the Justice Department through a Non-Prosecution Agreement which effectively dismisses the charges if Uber continues to meet its obligations to better protect personal information and comply with state and federal laws in that regard.

If you were a Uber user or employee in 2016 you are in jeopardy of identity theft.  Additionally, we do not know precisely how long the data breach actually occurred.  If indeed the information lost was limited to your name, email address and mobile phone number, the biggest threat to you will be from spear phishing emails and text messages that may appear quite legitimate because the come addressed to you by name and may appear to relate to a legitimate purpose.  Clicking on links contained in these emails and text messages puts you at risk of downloading malware that can lead to identity theft or ransomware malware.  As always, the best course of action is to never click on any link, regardless of how legitimate it may appear until you have confirmed that it is legitimate.

Everyone should freeze their credit reports at the three major credit reporting bureaus. But if you have been a victim of a data breach, it is even more important to do so.

Here are links to each of the three major credit reporting agencies with instructions about how to get a credit freeze:

If you are not a subscriber to Scamicide.com and would like to receive free daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of http://www.scamicide.com and type in your email address on the tab that states “Sign up for this blog.”