ORLANDO, Fla — A Longwood woman never thought her Uber account could be stolen, then used by strangers anywhere in the world. But her account was hacked after she asked the company to close it. When she couldn't get her money back, she called Action 9 consumer investigator Todd Ulrich for answers.
“This was at 2:13 AM our time,” Gillian Hatcher said. That's the time Hatcher received the first alert. She said someone hacked her Uber account and took rides on her dime.
“I was freaked out. I was totally alarmed,” Hatcher said.
She said a woman called claiming she was an Uber driver in Arizona and that her account had been compromised.
“There had been several ride requests from my account, so she was afraid my account had been hacked,” Hatcher said.
She called Uber’s emergency number and told the company to close her account. Instead, she said she was charged for three rides that night, all in Lake Havasu Arizona which is 2,300 miles away from her home.
Each ride was $84 or $85.
Hatcher said she told Uber, “This is a fraudulent ride. This is not me.”
Her Uber account was linked to her debit card, that night $254 disappeared from her bank account.
Hatcher was feeling betrayed, so she called Action 9.
The giant ride sharing company has a history of problems with how it handles consumer's information. Two years ago, Washington state accused Uber of failing to report a massive data breach. An FTC consent agreement found Uber failed to closely monitor access to consumer and driver data.
Uber is rated F at the Better Business Bureau for how it responds to complaints.
IT security experts say most times scammers hack into accounts by tricking you into sharing passwords.
“Just keep in mind Uber will never ask for information, will not ask for personal information. Nobody is going to call you from Uber or Lyft,” said Tommy Orndorf with Bayshore Interactive.
A week after Hatcher first contacted Action 9, Uber gave her a full refund for the ghost riders.
Uber told Action 9 there was no data breach, and her Uber account information is encrypted to protect privacy.
The first Uber call to Hatcher was suspicious, although Hatcher denies sharing any personal information with the caller.
Security experts suggest you should have unique passwords for every online account.
Uber response:
I work with the security teams at Uber, including those that handle fraud like this. I've asked our investigators to look into Gillian's case --- but the 2016 breach you mentioned did not involve any information that would provide access to a rider's account.
Given our privacy policies, I can’t discuss specific details of her account without her permission.
In the meantime, one thing to note upfront about Uber accounts is that they're designed to prevent theft of financial information --- e.g. when you type in your credit card or debit card number, it's immediately encrypted (you are the last person to see it). It can't be stolen from your account or Uber's systems because we don't have it -- and protects your card number even if someone gains access to your account.
Once I receive confirmation that Gillian is comfortable with us sharing details of this incident with you, I’ll be happy to explain what happened & provide guidance for other riders on how to avoid similar situations.