BALTIMORE (WJZ)– Uber has joined the growing list of companies targeted by cyber hackers.
Uber is coming clean about its cover-up of a year-old hacking attack that stole personal information about more than 57 million of the beleaguered ride-hailing service’s customers and drivers.
When the breach was discovered last October, instead of reporting it to Maryland by law, the company paid hackers $100,000 to keep quiet.
The thieves also nabbed the driver’s license numbers of 600,000 Uber drivers.
“Consumers giving their information to a business they’re trusting that business to do the right thing, to protect their data,” said cyber risk expert Mike Volk.
Volk says Uber likely violated Maryland’s Information Protection Act.
“For instance, in Maryland you have to notify as soon as reasonably possible some of the newer laws puts a time on it like 72 hours,” he said.
Vok urges victims of hacks to put a freeze on their credit reports and to monitor them carefully.
Because of no federal laws–when it comes to notification requirements, companies notify states, but only after a lengthy process, where consumers are often last to know.
“I am concerned, because I’m afraid that all of my information will be out there, and I’ll be vulnerable,” said Maryland resident Ellen Newman. “If I want anything done, I’ll ask one of my children to do it.”
“When they get hacked that’s all of our information,” Maryland resident Bill Kelly said. “The general public should be upset of not protecting the backdoor.”
Uber’s current CEO, Dara Khosrowshahi, criticized the company’s handling of the data theft in a blog post that said there’s no evidence the stolen information has been misused.
The Identity Theft Resource Center says there has been nearly 1,200 breaches in the U.S. so far this year, exposing records of nearly 172 million Americans.
WJZ reached out to Maryland Attorney General Brian Frosh to see if Uber broke Maryland law when it comes to notification, but did not receive a response.
Experts say to limit your risk of becoming a victim of cyber attacks, you can always make purchases in cash.