Uber’s decision to cover up the theft of 57 million people’s personal data could lead to a major fine, the Information Commissioner’s Office has warned.
Uber confirmed on Tuesday that it had paid hackers $100,000 to delete the stolen data but that it had failed to notify regulators or victims of the breach.
The announcement sent shockwaves through the cyber security industry, with experts lining up to condemn the firm for concealing the hack.
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” the ICO’s deputy commissioner James Dipple-Johnstone said last night.
The ICO also confirmed that UK citizens’ data had been affected by the breach, which took place in October last year.
“We are working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations,” Dipple-Johnstone added.
Uber’s recently installed CEO, Dara Khosrowshahi, said “none of this should have happened, and I will not make excuses for it”.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
The stolen data included 57 million names, email addresses and mobile phone numbers. A total of 600,000 drivers’ names and licence details were exposed during the breach.
Two hackers gained access to Uber log-in credentials for the cloud platform AWS after accessing a private area of Github, a platform for developers, according to Bloomberg, which first reported the breach.
The embattled Silicon Valley firm has offered drivers free credit monitoring protection. Affected customers will not be offered the same service.
Uber’s chief security officer, Joe Sullivan, is one of two employees who have left the company in the wake of the response to the breach.
Rik Ferguson, vice president of security research at security firm Trend Micro, said Uber had failed in its responsibility to its drivers, regulators and customers:
“However certain those responsible may have been that their attackers had been silenced, digital theft does not work the same way as in the physical world, you can never “buy back the negatives” once data has been stolen.”