‘Concerned’ UK Regulators Look Into Uber’s Hidden Data Breach

The Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) are investigating the scale of the 2016 data breach at Uber which saw the details of 58 million users and drivers accessed by third parties, but was kept secret by the company.

No financial details or journey records were taken by the attackers, who were paid $100,000 to delete the files, but some personal information was stolen and there are no guarantees the data was indeed destroyed.

Uber came clean about the incident yesterday, with new CEO Dara Khosrowshahi explaining he only became aware of the breach recently. Khosrowshahi only joined the company earlier this year and said the company was working with the authorities.

Read More: What on Earth was Uber thinking?

Uber hack

The ICO said it was “concerned” at the concealment and said it should have been notified when the data breach took place if it affected UK citizens.

“We can confirm that UK citizens have been affected by the data breach involving Uber last October,” said James Dipple-Johnstone, Deputy Commissioner at the ICO. “As UK citizens would expect, the ICO is in direct contact with the company to establish the numbers and what kind of personal data may have been compromised.

“We are working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.

“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”

An NCSC spokesperson said it should have been notified by Uber and was also looking into the incident.

“Companies should always report any cyber attacks to the NCSC immediately,” said the NCSC. “The more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim.

“We are working closely with other agencies including the NCA and ICO to investigate how this breach has affected people in the UK and advise on appropriate mitigation measures.”

Does IoT security concern you?

  • Yes (89%)
  • No (11%)

Loading ...

Had the incident taken place after the introduction of the EU’s General Data Protection Regulations (GDPR) next May, the penalties could have been more severe.

The GDPR is to replace the Data Protection Act (DPA) 1998, and the government has confirmed the referendum to leave the EU will not affect the regulations’ implementation in the UK.

The new rules will, amongst other things, vastly increase the power of European data protection authorities to impose fines, with organisations facing penalties of up to 20 million euros, or 4 percent of their annual worldwide turnover, whichever is greater.

By contrast, the ICO can currently impose fines of up to only £500,000.

Quiz: What do you know about transport technology?

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

9 hours ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

13 hours ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

14 hours ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

1 day ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

1 day ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

1 day ago