- Brendan McDermid/Reuters
- British customers and Uber drivers are considering suing Uber over a major data breach in 2016 which affected 57 million users globally, including 2.7 million in the UK.
- UK law firm Leigh Day told Business Insider that more than 10 customers had been in touch with legal queries, but said it hadn’t launched formal claims.
- Leigh Day said it had written to Uber asking for more details about the hacking incident.
- The news comes after a British government minister suggested Uber had acted illegally.
More than 10 British Uber users and a separate group of Uber drivers have consulted law firm Leigh Day about possible lawsuits against the ride-hailing firm over the massive data breach which affected 57 million users globally.
Speaking to Business Insider hours before Uber revealed the breach had affected around 2.7 million UK users, Leigh Day partner Sean Humber said the firm had written letters to Uber on behalf of clients as a preliminary step.
The letters consisted of 26 questions probing whether Uber has evidence that customer data was accessed inappropriately; whether it paid ransoms to hackers and how much; and details of any other hacks.
Humber said the process was at an early stage, and that Leigh Day hadn’t launched any formal claims.
“We are at the early stages here,” he said. “We’re just trying to find out more information in relation to the breach itself. We have clients who are customers, but also drivers, all in the UK.”
Humber wouldn’t disclose who the customers were, but said more than 10 had been in touch.
GMB, a workers’ union that also represents some Uber drivers, separately announced it had asked Leigh Day to probe the hack on behalf of its members.
Uber revealed last week that it had covered up a massive hack in 2016, where hackers accessed email addresses, names, and phone numbers. Uber reportedly paid off hackers as part of the cover-up, and failed to notify customers and regulators around the world of the breach. Incoming chief executive Dara Khosrowshahi apologised for the mistake, and fired the firm’s security chief, Joe Sullivan. According to the Wall Street Journal report, however, Khosrowshahi knew about the hack when he took the job in August.
Humber said a legal claim would depend on whether Uber responds to Leigh Day’s letters, and what the company says. He wouldn’t comment on how much Uber could stand to lose.
“If private, confidential information has been mishandled, that could be a breach of the Data Protection Act, and people would have a claim under the act,” he said. “It could be the misuse of private information, or it could be breach of confidence.
“If people have suffered distress or loss as a result of that data breach, in principle they are entitled to compensation.”
Part of Humber’s job is digging further into what Uber has said publicly. When the ride-hailing firm first disclosed the breach, it cited “outside forensic experts” who said there was no evidence customer or driver data had been misused.
“Who are these outside experts?” said Humber. “Would [Uber] provide us with a copy of their reports? It’s important to go beyond assurance. That’s all we’re asking for at this stage.”
It isn’t clear how successful any consumer suit against Uber in the UK might be. Uber has consistently stated that it doesn’t believe financial information was accessed in the hack, meaning victims might find it difficult to prove harm. Even if lawyers did uncover evidence that victims’ financial data was misused, it would be difficult to pin it on a hack that took place last year.
British lawsuits over data leaks are also still relatively rare in the UK, meaning there’s little precedence for an Uber case. An ongoing High Court case brought by workers at the supermarket Morrisons is one of the first data leak class actions in the country. There are, however, at least two class-action lawsuits against Uber in the US, though both have been brought about by states rather than individuals – Washington and Chicago.
Uber declined to comment.
Humber’s comments come after Matthew Hancock, the UK’s digital minister, suggested that Uber had acted illegally by failing to notify regulators of the breach.