Privacy experts call on Uber to investigate after man gets nearly $1000 bogus bill
George Sfeir got a bill for a $982 Uber ride in Chicago he says he never took
A string of complaints by customers charged for Uber trips they say they never took has security experts calling on the ride-hailing company to launch a formal investigation to make sure its databases haven't been breached.
After CBC News reported on the story of Laura Hesp, who lives in Toronto but was billed for an Uber ride taken on her account by someone in Poland, several others came forward to report similar experiences. Uber has warned customers incidents like this may be the result of phishing scams, but experts CBC News spoke to think the company should investigate to rule out the possibility that its own databases have been hacked.
The stories begin the same way. A person receives an unexpected email confirming an Uber cab is minutes away — except the customer hasn't ordered one and the trip is thousands of kilometres away in another country.
George Sfeir, a 49-year-old Toronto man, says he was in his car on the way to his cottage in rural Ontario in July when he got a bill for an Uber ride he never ordered.
It was one of six bills he would receive over the span of two days for trips taken in Las Vegas, Des Plaines, Ill., and other American cities that Sfeir says he never visited.
Most of the trips ranged in price from $10 to $100. But when he received a bill for a whopping $982 rung up for an Uber trip in Chicago, Sfeir says he began to panic.
"That was really scary," he says, adding that at first, even his credit card company didn't believe his story.
"When I called MasterCard, they were surprised, saying, 'This can never happen. You need to have had your phone. Are you a scammer?'"
It's a familiar story for Gary Mooney.
Earlier this month, the 72-year-old was out for dinner with friends in Ontario's Prince Edward County when he got his first bill for a phantom Uber ride. It was one of three invoices he would receive, each for rides taken in Warsaw, Poland.
"Being as how I wasn't anywhere near Warsaw, I got immediately suspicious. It looked like Uber had been hacked because I've never had any account … compromised before," Mooney says.
Mooney says he received an email from Uber's fraud department offering to cancel the charges, advising that he should change his password. He thought he was alone until he read about Hesp.
'Somebody had to have hacked into Uber'
"My feeling is that somebody had to have hacked into Uber … and was able to obtain this information from Uber data files."
In each instance, Uber refunded the amounts and cautioned the account holders about the dangers of phishing scams.
In a statement to CBC News, Uber said its security teams and automated systems continuously watch the company's network for suspicious activity.
"When we detect fraud, including these instances caused by reused passwords or phishing, we work with consumers to quickly secure their accounts and refund unauthorized charges. We recommend riders use unique passwords for their accounts and contact our support team if they believe their accounts have been compromised," the statement said.
"That's convenient for them to say, but I was surprised to see this article on CBC News about somebody else who had exactly the same problem," Mooney said. "That seems to suggest a pattern."
And while consumers can take steps to protect themselves such as not reusing their passwords, cyber-security expert Daniel Tobok says Uber needs to investigate its own databases.
"It's also on Uber to conduct some kind of an official investigation to see if their information was breached," Tobok said.
After all, the ride-hailing service has been breached before. An investigation by Uber in September 2014 found one of the company's databases was accessed by a third party, leaving the names and driver's licence numbers for approximately 50,000 drivers exposed. The breach also affected up to 200 drivers' banking information and social insurance numbers of up to 100 drivers.
Tobok wants to know if any of the information that might have been compromised in the 2014 breach might have been sold on what's known as the dark web, a part of the internet not indexed by search engines, where illicit activity often goes undetected.
Uber says the 2014 breach compromised information concerning drivers, not customers, and that the incident is unrelated to the complaints communicated to CBC News.
But Tobok wonders if it happened to drivers then, could it happen to customers now?
"They need a little bit of homework on their end as well," he says.
The executive director of Ryerson University's Privacy and Big Data Institute, Ann Cavoukian, agrees.
"To suggest that all of this is from phishing expeditions, I question that," Cavoukian said.
On top of that, Cavoukian says, the fact that the bogus trips are taking place overseas raises the question of unauthorized access by Uber operators in other countries to customers' personal information that might then be used for fraudulent rides.
"It's incumbent on Uber to figure this out. Get in there and investigate."
With files from Chris Glover