NH opens investigation into Uber hackingBy MIKE COUSINEAU
Union Leader Staff
November 22. 2017 1:44PM
The state's top consumer watchdog on Wednesday opened an investigation into the case of hackers stealing the personal data of 57 million customers and drivers from Uber.
"We are very concerned about it and we're certainly going to inquire further," said James Boffetti, a senior assistant attorney general. "I've opened up an investigation to take a look at it." As of March, the ride-sharing service said it had several hundred drivers serving nearly 40,000 active riders in New Hampshire.
Hackers stole the personal data of 57 million customers and drivers from Uber, a major breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver's license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.
In New Hampshire, state law requires companies to notify the attorney general and affected individuals when a security breach occurs.
Equifax recently sent the state a letter saying a breach "potentially impacted residents" totaling 634,614. An even larger breach in 2015 involved nearly 668,000 current and former Anthem insurance members in New Hampshire.
Boffetti said state law requires notifying the state "within a reasonable amount of time," but "it doesn't appear that happened here."
In 2015, Uber notified New Hampshire about a 2014 "security incident involving unauthorized access to electronic files in a proprietary Uber database by a party unaffiliated with Uber."
The files, Uber said in a letter, contained names and driver's license numbers of people who had driven on the Uber platform. Uber said a third party accessed the database files once, on May 13, 2014, but there was no indication that information was misused. Approximately 15 Granite Staters had their names in the files.
Boffetti declined comment on whether Uber should have paid a ransom to the hackers in this latest incident.
The state has seen the number of reported security breach notifications "up fairly significantly in the last couple years," but Boffetti said he didn't have access to the figures Wednesday.
In the case of Uber, at the time of the incident, it was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.
A spokesman from Uber said the company is in the process of notifying various regulatory and government authorities.
Boffetti recommended people request a free credit report from each of the three major credit reporting agencies and to monitor bank and credit card statements. People spotting any suspicious activity should contact the appropriate bank or credit card company.
"If someone had attempted to use your credit card to apply for credit in your name, that's ID theft," Boffetti said. "You might want to put a freeze on your credit. That basically locks your credit until you can figure out what's going on."
"Generally, people have to be vigilant in monitoring their financial health," Boffetti said.
Bloomberg contributed to this report.