AK-DigiArt - Fotolia
The October 2016 data breach of Uber’s systems affected up to 2.7 million user accounts in the UK belonging to both customers and drivers, it has emerged.
The breach saw details of 57 million accounts compromised, and Uber has been heavily criticised for not admitting sooner that its systems had been hacked, and for paying off those responsible. The organisation has already parted company with its chief security officer, Joe Sullivan, over the 13-month cover-up.
The data is understood to have included names, email addresses and mobile phone numbers, but according to Uber, trip location history, credit card and bank account numbers, and dates of birth were not downloaded.
In a statement, Uber said the 2.7 million figure was still an approximation, not an accurate or definitive number.
“Sometimes the information we get through the app or our website that we use to assign a country code is not the same as the country where a person actually lives,” said the firm.
Information Commissioner’s Office (ICO) deputy commissioner James Dipple-Johnstone added: “On its own, this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls, appear more credible. People should continue to be vigilant and follow the advice from the National Cyber Security Centre (NCSC).
“As part of our investigation, we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised.”
Dipple-Johnstone said the ICO expected Uber to begin to inform those affected as soon as possible, and reiterated that the NCSC, alongside other relevant UK authorities, was continuing to work to ensure the data of UK citizens was protected.
Digital minister Matt Hancock said in a written statement: “The government expects Uber to respond fully to the incident with the urgency it demands and to provide the appropriate support to its customers and drivers in the UK.
“Uber users should continue to be vigilant and follow the advice from the NCSC, which can be found on its website.
“The government takes both the protection of personal data and the right to privacy extremely seriously. It is always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and to take steps to reduce any harm to consumers, and it is welcome Uber has done this.”
The government said the new Data Protection Bill would grant the ICO further powers to defend consumer interests, and issue even higher fines of up to £18m, or 4% of an organisation’s global turnover in exceptional cases.
Separately, prosecutors in the US have heard that Uber may have hired ex-CIA intelligence operatives to conduct surveillance on its rivals. The trial, brought by Alphabet-owned Waymo, centres on allegations that Uber stole autonomous vehicle technology trade secrets from it.