- Uber concealed a huge data breach in 2016 that affected 57 million people.
- The company paid hackers $100,000 to delete the data they had stolen.
- It’s not clear how many UK citizens were affected but the Information Commissioner plans to investigate.
The Information Commissioner’s Office (ICO), the UK’s data regulator, said on Wednesday that it plans to investigate a huge data breach that Uber concealed.
Uber said on Tuesday that a hack in 2016 affected 57 million Uber customers and drivers. The San Francisco taxi app kept the breach a secret and paid the hackers $100,000 (£75,000) to delete the data.
When asked whether the ICO plans to issue Uber with a fine, a spokesperson told Business Insider: “It’s too early to say but it’s something that we’ll definitely be investigating.”
James Dipple-Johnstone, ICO deputy commissioner, said in a statement:
“Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.
“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.
“We’ll be working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, how it has affected people in the UK and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”
UPDATE: The ICO has now confirmed that UK citizens were affected by the breach, according to James Titcomb, technology editor at The Telegraph.
An Uber spokesperson was unable to say how many people in the UK were affected.
The breach took place in October 2016. The hackers were able to steal the names, emails, and phone numbers for 50 million riders globally, in addition to the personal information of 7 million drivers. This included US driver’s license numbers, but no Social Security numbers, according to Uber.
Uber CEO Dara Khosrowshahi quietly published a blog post about the incident on Tuesday.
“As Uber’s CEO, it’s my job to set our course for the future, which begins with building a company that every Uber employee, partner and customer can be proud of. For that to happen, we have to be honest and transparent as we work to repair our past mistakes.
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.”
Khosrowshahi said Uber’s staff have not found any evidence that trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth were downloaded.
He added that two of the Uber employees that led the response on the breach left the company on Tuesday.
“None of this should have happened, and I will not make excuses for it,” said Khosrowshahi. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
A spokesperson for Prime Minister Theresa May released this statement about the Uber breach:
“These are obviously concerning reports and the National Cyber Security Centre is working closely with domestic and international agencies including the national crime agency and the information commissioners office to investigate how this breach has affected people in the UK.
“We have not seen evidence that financial information has been compromised. It is unclear at this stage what countries were affected by the attack.
“Uber did not notify individuals, the UK government or UK regulators last year at the time of the breach. As soon as we became aware of the breach we reached out to international partners to get a better understanding of the threat. That work is ongoing.”