Uber discloses data breach that may have affected 50,000 drivers

Uber suffered a data breach in 2014 that affected 50,000 Uber drivers across the U.S., the ride-sharing startup disclosed in a statement on Friday.

The company determined on September 17, 2014 that a third party could have accessed one of its databases. After Uber “changed the access protocols for the database” and looked into the situation, it learned through an investigation that someone apparently accessed one of its databases on May 13, 2014, wrote Katherine M Tassi, Uber’s managing counsel, privacy.

Supposedly, the information that may have been compromised included driver names and their driver license numbers, but the startup said that it is not aware of any “reports of actual misuse” of that data. The company said it will be contacting the drivers, issuing them memberships in identity-alert services and filing a lawsuit to obtain more information to learn who was the third party that accessed the database.

While this data breach is small compared to the mega breaches that affected JPMorgan Chase, Sony Pictures Entertainment and Anthem in recent months, it’s notable because it seems to be the first publicly known data breach affecting a ride-sharing service.

The data breach also highlights the importance of setting up proper identity management and access controls for a company’s infrastructure, something on which many security startups are concentrating their efforts. At this time, it’s unclear how an unauthorized party was able to access an internal database. However, it’s obvious that Uber will have to ensure better access-management policies for all points in its infrastructure if it wants to make its system less vulnerable to breaches.

The breach comes at a time when President Obama recently proposed a federal law that calls for companies to notify their customers within 30 days of the discovery of a hack. Uber’s discovery of its announced data breach appears to have fallen well outside the 30-day mark and as far as we know, only appears to have affected its own employees.

OneLogin grabs $25M to make sure bad guys can’t access your apps

The identity-management space is not showing any signs of slowing down as security startup OneLogin plans to announce Tuesday that it landed a $25 million series C investment round, bringing its total funding to $44 million.

This makes for another security minded startup that’s been attracting a lot of investor attention in recent months. Okta took in a $75 million funding round in June, Ping Identity grabbed $35 million in September and Sailpoint reportedly took in a funding round valued at roughly several hundred million dollars in August.

All of these startups are tackling the issue that today’s enterprises use a variety of cloud-based services, like Salesforce.com or Box, and are having a hard time keeping track of who gets to log into what service. With large-scale hackings seemingly occurring each week (just ask Sony), companies also have to worry about whether attackers can access their corporate accounts using leaked emails or passwords they might have obtained from various data breaches, explained OneLogin CEO and founder Thomas Pedersen.

“In order to be cloud first, [companies] need to be identity first,” Pedersen said. “You can’t go into the cloud without an identity strategy.”

OneLogin mobile figure

OneLogin mobile figure

OneLogin’s cloud-based service can sync up with an organization’s active directory and have the pre-configured identity and management rules be passed on to the cloud, or they can go to OneLogin’s application catalog and choose the appropriate app that matches their respective cloud service. From there, IT admins can configure the access privileges of a particular app and make it possible that only users within a home country can access a Box account, for example.

The whole idea is to give users a single-sign on account for all of their cloud services as managed through OneLogin, which ensures that those without the right access privileges are unable to get into the cloud systems.

What separates a lot of these access-management focussed startups is their approach to securing mobile devices. Ping Identity, for example, recently rolled out a mobile app that essentially binds a mobile device to an organization’s network. OneLogin, on the other hand, “has been very focussed on standards” and wants to make sure that vendors are getting behind OneLogin’s preferred method of dealing with mobile access sign-ons, said Pedersen.

Scale Venture Partners drove the funding round along with previous investors Charles River Ventures and The Social+Capital Partnership. Rory O’Driscoll of Scale Venture Partners will join OneLogin’s board.