Uber tells ICO that 2016 hack saw names, numbers and email addresses stolen
Uber has confirmed that 2.7 million UK customers had their personal details stolen in a 2016 cyber attack.
The company made the admission to the information Commissioner’s Office (ICO) which is investigating the incident, which affected 58 million users and drivers and was kept secret until last week.
New CEO Dara Khosrowshahi explaining he only became aware of the breach recently. Khosrowshahi only joined the company earlier this year and said the company was working with the authorities.
Read More: What on Earth was Uber thinking?
No financial details or journey records were taken by the attackers, who were paid $100,000 to delete the files, but some personal information was stolen and there are no guarantees the data was indeed destroyed.
The ICO said names, mobile phone numbers and email addresses were taken, details which could expose victims to social engineering attempts.
“On its own this information is unlikely to pose a direct threat to citizens,” said James Dipple-Johnstone, Deputy Commissioner at the ICO. “However, its use may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the NCSC.
“As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised. We would expect Uber to alert all those affected in the UK as soon as possible.
“We are continuing to work with the NCSC plus other relevant authorities in the UK and overseas to ensure the data protection interests of UK citizens are upheld.”
Had the incident taken place after the introduction of the EU’s General Data Protection Regulations (GDPR) next May, the penalties could have been more severe.
The GDPR is to replace the Data Protection Act (DPA) 1998, and the government has confirmed the referendum to leave the EU will not affect the regulations’ implementation in the UK.
The new rules will, amongst other things, vastly increase the power of European data protection authorities to impose fines, with organisations facing penalties of up to 20 million euros, or 4 percent of their annual worldwide turnover, whichever is greater.
By contrast, the ICO can currently impose fines of up to only £500,000.