ICO and NCSC are looking into the scale of the Uber hack before they take next steps
The Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) are investigating the scale of the 2016 data breach at Uber which saw the details of 58 million users and drivers accessed by third parties, but was kept secret by the company.
No financial details or journey records were taken by the attackers, who were paid $100,000 to delete the files, but some personal information was stolen and there are no guarantees the data was indeed destroyed.
Uber came clean about the incident yesterday, with new CEO Dara Khosrowshahi explaining he only became aware of the breach recently. Khosrowshahi only joined the company earlier this year and said the company was working with the authorities.
Read More: What on Earth was Uber thinking?
The ICO said it was “concerned” at the concealment and said it should have been notified when the data breach took place if it affected UK citizens.
“We can confirm that UK citizens have been affected by the data breach involving Uber last October,” said James Dipple-Johnstone, Deputy Commissioner at the ICO. “As UK citizens would expect, the ICO is in direct contact with the company to establish the numbers and what kind of personal data may have been compromised.
“We are working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.
“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”
An NCSC spokesperson said it should have been notified by Uber and was also looking into the incident.
“Companies should always report any cyber attacks to the NCSC immediately,” said the NCSC. “The more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim.
“We are working closely with other agencies including the NCA and ICO to investigate how this breach has affected people in the UK and advise on appropriate mitigation measures.”
Had the incident taken place after the introduction of the EU’s General Data Protection Regulations (GDPR) next May, the penalties could have been more severe.
The GDPR is to replace the Data Protection Act (DPA) 1998, and the government has confirmed the referendum to leave the EU will not affect the regulations’ implementation in the UK.
The new rules will, amongst other things, vastly increase the power of European data protection authorities to impose fines, with organisations facing penalties of up to 20 million euros, or 4 percent of their annual worldwide turnover, whichever is greater.
By contrast, the ICO can currently impose fines of up to only £500,000.