The National Cyber Security Centre has launched an investigation after Uber failed to disclose a massive data breach that took place a year ago, but which the San Francisco-headquartered, car-booking company kept secret.
The National Crime Agency has suggested the hackers who were responsible for the breach may have been British-based, and the Information Commissioner's Office (ICO) said it had 'huge concerns about Uber's data policies and ethics' following the hack that exposed the details of 57m customers and drivers.
James Dipple-Johnson, ICO deputy commissioner, said the company's actions were unacceptable. He commented: 'It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies. If UK citizens were affected, then we should have been notified so that we could assess and verify the impact on people whose data was exposed.'
Hackers were paid to hide data breach
The breach saw names, email addresses and phone numbers hacked, although location data, credit card numbers, bank account numbers, social security numbers and birth dates had not been compromised.
Uber's chief executive, Dara Khosrowshahi issued a statement: 'None of this should have happened, and I will not make excuses for it. While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.'
The company also confirmed it had paid the hackers responsible $100,000 to delete the data and keep the breach quiet. The payment was arranged by chief security officer Joe Sullivan under the watch of former CEO Travis Kalanick, according to several current and former employees.
Mr Sullivan has been fired; Mr Kalanick remains on Uber’s board. Craig Clark, the company’s legal director of security and law enforcement, was also dismissed.
New boss knew about hack for months
More than two months elapsed before Mr Khosrowshahi notified customers and drivers of the data breach, people familiar with the matter have said.
He learned of the 2016 hack two weeks after taking up his role in September, according to the sources. Mr Khosrowshahi said he immediately ordered an investigation, which he wanted to complete before making the matter public.
Company faces mounting pressure in US
The US Federal Trade Commission has said it was 'closely evaluating the serious issues raised,' and the Senate Commerce Committee has been urged to hold a hearing to 'demand Uber explain their outrageous breach - and inexplicable delay in informing its consumers and drivers.'
The Uber data breach has implications for all
Writing in the Financial Times, Julia Apostle, former lead counsel at Twitter UK, says the company’s decision to pay a ransom to delete stolen data will have a negative impact on all digital service providers.
Sign up to our weekly cybersecurity news digest
Want to read more stores like this? Our weekly news digest helps to keep you up-to-date with cybersecurity news stories relevant to the legal sector.
Sign up to our mailing list