The latest company for the data breach pile is ride-sharing service Uber, which announced this week it got hacked back in May 2014.
Uber says a database breach last year leaked the names and driver’s license numbers of as many as 50,000 current and former Uber drivers; 21,000 in California alone.
Uber says it discovered and “immediately” patched the security hole in September. The company notified drivers and the California Attorney General on Friday, and filed a ‘John Doe’ lawsuit to gather more information on the unidentified perpetrator.
The question now is why Uber waited nearly five and a half months to say anything.
As Mike Isaac of The New York Times points out, Uber announced a nine-month-old breach at 5pm on a Friday. He’s not saying Uber’s trying to bury the news, but he’s not not saying that.
And Slate notes Uber used the blandest URL possible. The February 27 posting, titled simply “Statement,” is newer than other items on Uber’s blog but is not on the default list.
“The company seems to hope its blog post on the matter will disappear from Internet memory. The URL is impressively unsearchable.”
The Wall Street Journal talked to a cybersecurity expert at a D.C. law firm. “I usually expect it’s no more than 60 days before you start notifying people. Unless they were cooperating with law enforcement, which is a possibility, it would seem to be an unusual delay.”
For comparison: reports show health insurer Anthem announced its security breach and started damage control within a week of detecting intruders in its network. And that hack could affect as many as 80 million people.
So far, Uber has declined to comment on the timing. The company is enrolling affected drivers in identity theft protection and recommending they monitor their credit reports.
This video includes images from Getty Images.