An Uber database containing the names and driver’s license numbers of 50,000 current and former drivers was accessed by an outside party in 2014, the company announced today. Uber discovered the breach on September 17, 2014, and an investigation revealed one instance of unauthorized access on May 13, 2014. This means the information has been in the wild for nearly a year, though Uber drivers haven’t reported anything fishy and the database is now secure, the company said.
Uber began notifying affected drivers of the breach today and is offering a free year membership with an identity protection company. Of the 50,000 compromised names, 21,000 were based in California, prompting Uber to also notify the California attorney general, the LA Times says. Additionally, the company has filed a “John Doe” lawsuit in an effort to gather more information about the third party.
“Uber takes seriously our responsibility to safeguard personal information, and we are sorry for any inconvenience this incident may cause,” Uber said.
The data breach comes one month after Uber’s security protocols received a clean bill of health as part of an external privacy audit, though that was spurred by high-profile missteps with information about Uber’s passengers, not its drivers. In that report, the investigating agency recommended Uber start training its workforce in security issues and it further restrict access to data among employees.
“At Uber, protecting the personal information of riders is a core responsibility and company value,” CEO Travis Kalanick said at the time. “Delivering on that value means that privacy is woven into every facet of our business, from the design of new products to how we interact with riders, drivers and the public at large.”