Data protection regulator the Information Commissioner’s Office has said that it has “huge concerns” relating to Uber’s cover-up of a massive data breach that came to light this week.
Uber admitted on Tuesday that it had failed to disclose a cyberattack that exposed the data of some 57 million combined drivers and passengers – and paid hackers to not release the stolen data.
In a statement posted online, Uber chief executive Dara Khosrowshahi said that an October 2016 attack encompassed personal information like names and phone numbers of Uber users worldwide.
In a blog post, he said two unnamed people outside the company had “inappropriately accessed user data stored on a third-party cloud-based service”, without breaching Uber’s internal systems.
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” he added.
The data stolen included the names and licence numbers of around 600,000 drivers in the US and unidentified “personal information” on 57 million drivers and users around the world, including the drivers described above including names, email addresses and mobile phone numbers.
“We took immediate steps to secure the data and shut down further unauthorised access by the individuals,” Mr Khosrowshahi said.
“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
Those responsible were reportedly pressured to sign non-disclosure agreements so news of the breach did not get out.
The New York Times alleged that company executives had then dressed up the breach as a “bug bounty”, the practice of paying hackers to test the strength of software security.
Affected accounts have been flagged for additional fraud protection, Mr Khosrowshahi said.
“None of this should have happened, and I will not make excuses for it,” he wrote.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
It is the latest in a series of scandals to damage Uber’s credibility, following Transport for London’s refusal to renew its licence and the company’s loss of an employment tribunal that ruled in favour of drivers demanding workers’ rights.
On Wednesday, the Information Commissioner’s Office said that Uber’s admission over the hack “raises huge concerns around its data protection policies and ethics”.
“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers,” said deputy commissioner James Dipple-Johnstone.
“If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.”
He said that the ICO would be working with the National Cyber Security Centre (NCSC) and other relevant British and international authorities to determine the scale of the breach, and the extent to which it has affected people in the UK.
Mr Dipple-Johnstone said that the ICO and other agencies would also determine what steps need to be taken by Uber to ensure it fully complies with its data protection obligations.
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” he added.
A spokesperson for the NCSC, an arm of GCHQ, said companies must report any cyber attacks “immediately”.
“The more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim,” he added.
“We are working closely with other agencies including the NCA and ICO to investigate how this breach has affected people in the UK and advise on appropriate mitigation measures.
“Based on current information, we have not seen evidence that financial details have been compromised.”
Concerns about corporate cybersecurity have intensified in the wake of high-profile hacks targeting companies like Yahoo — which disclosed this year that all three billion of its email users’ accounts were hacked in 2013 — and credit reporting agency Equifax, whose former CEO was grilled before Congress about security weaknesses that facilitated the attack.
According to Bloomberg, the Uber hack cost Chief Security Officer Joe Sullivan and an associate their jobs because they sought to keep it quiet.
Alex Neill, managing director of home products and services at consumer’s association Which?, said that data breaches are becoming increasingly common and the protections for consumers are lagging behind.
“The UK Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of affected customers when a company has failed to take sufficient action following a data breach,” she said.
The EU-wide General Data Protection Regulation (GDPR) will punish companies attempting to conceal breaches after it comes into force in May.
The law, which the UK will remain part of after Brexit, will impose fines of up to €20m (£18m) or 4 per cent of the company’s global annual turnover – whichever is higher.
Proponents say it will harmonise national laws and “protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy”.
It comes amid warnings over record levels of cyber crime, which are expected to continue rising as the techniques and programmes used become more easily obtained and operated.
Around 1.8 million cyber-enabled crimes took place in England and Wales last year, mostly involving fraud for profit, but also including disruption and data breaches blamed on hostile states including Russia, Iran and North Korea.
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies