The Information Commissioner’s Office (ICO) has confirmed that UK Uber users were affected by the breach of 57 million riders and drivers announced this week, and that it's investigating the incident.
In an official statement dated Wednesday, deputy information commissioner, James Dipple-Johnstone, claimed the breach and subsequent attempts to conceal it “raises huge concerns around its data protection policies and ethics.”
The privacy watchdog warned that deliberately concealing breaches from customers and regulators “could attract higher fines for companies”, although it can only currently go as high as £500,000.
“We are working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations,” said Dipple-Johnstone.
"It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.”
Uber CEO, Dara Khosrowshahi, shocked users of the popular ride-hailing service across the globe yesterday when he revealed the firm had suffered a breach in “late 2016” which was never reported to the authorities.
Reports claimed the firm had paid hackers $100,000 for them to delete personal data on tens of millions of users, which they had accessed on Amazon Web Services via log-ins apparently found in a private Uber GitHub account.
The incident will not do Uber any favors as it tries to convince the London mayor to issue a new license to operate in the city, after TfL refused to renew it back in September.
Labour deputy leader, Tom Watson, has written to the company demanding to know more details of the incident, arguing that “the matter cannot be considered closed.”
He added:
“I note that when Transport for London announced that they would not be renewing Uber’s license to operate in London on 22 September Uber emailed its customers to ask them to protest against this decision the very same day. So far as I am aware, Uber has not yet made any efforts to contact customers about the compromise of their personal data. I expect that you will do so.”