Out-Law News 2 min. read

UK authorities notified of Uber data breach 'by the media', says minister


Uber did not tell UK authorities about the data breach it has experienced prior to going public about the incident, the UK's digital minister has said.

Matt Hancock told MPs that he heard about the breach through the media. In response to an urgent question raised about the breach in the UK parliament, Hancock also said UK authorities do not have "sufficient confidence" in Uber's estimates over the number of UK customers impacted by the breach to "go public" with it.

Earlier this week Uber chief executive Dara Khosrowshahi issued a statement which confirmed that in "late 2016" two hackers managed to access the personal data of 57 million customers based around the world which was stored on a third party cloud computing platform the company uses.

Khosrowshahi admitted that he had only "recently learned" of the breach, despite others in the company knowing about the incident and taking action to "secure the data and shut down further unauthorised access" by the two hackers.

The data breach was not disclosed to regulators at the time of the incident, but Khosrowshahi said the company was now notifying the authorities of the incident, in addition to the customers and drivers whose data was compromised in the attack. 

Hancock said Uber did not inform either the UK government, Information Commissioner's Office (ICO) or National Cyber Security Centre "before it spoke to the media" about the breach. He said the authorities are working to confirm how many UK citizens have been affected by the incident.

"We are told that some UK citizens’ data is affected," Hancock said. "We are verifying the extent and the amount of information. When we have a sufficient assessment, we will publish the details of the impact on UK citizens, and we plan to do that in a matter of days. As far as we can tell, the hack was not perpetrated in the UK, so our role is to understand how UK citizens are affected."

"We do not have sufficient confidence in the number that Uber has told us to go public on it, but we are working with the National Cyber Security Centre and the ICO to have more confidence in the figure," he said.

Hancock said that the UK authorities are also liaising with the US Federal Trade Commission and authorities in the Netherlands where Uber has its European headquarters to "get to the bottom of things".

"At this stage, our initial assessment is that the stolen information is not the sort that would allow direct financial crime, but we are working urgently to verify that further, and we rule nothing out," the minister said. "Our advice to Uber drivers and customers is to be vigilant and to monitor accounts, especially for phishing activity."

James Dipple-Johnstone, deputy commissioner at the ICO, said the watchdog is looking into the steps that Uber might need to take in light of the breach "to ensure it fully complies with its data protection obligations".

"It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers," Dipple-Johnstone said. "Deliberately concealing breaches from regulators and citizens could attract higher fines for companies."

Data protection law expert Anna Flanagan of Pinsent Masons said on Wednesday that the case served to highlight the importance of organisations having "appropriate internal processes in place to report personal data breaches to the right people within their organisation as soon as possible".

Those processes will be particularly helpful to businesses in meeting new requirements on the notification of personal data breaches under the forthcoming General Data Protection Regulation (GDPR), she said. The GDPR will apply from 25 May 2018.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.