Uber has revealed that 2.7 million UK users of its app were affected by a 2016 data breach that it covered up for more than a year.
Hackers were able to obtain the names, email addresses and mobile phone numbers of passengers and drivers, the taxi-hailing firm said.
Downing Street said last week the cyber attack, which affected 57 million customers and drivers worldwide, was not initially reported by the company after it hushed up the scandal.
News of the hack came in an extraordinary admission by the US firm’s chief executive on November 21, revealing a server had been infiltrated in late 2016.
It was found Uber had not only sought to cover up the incident but also paid two hackers $100,000 (£75,000) to delete the data and keep the security lapse quiet.
Uber has revealed that 2.7m riders and drivers in the UK have been affected by a massive hack of data – more than half of its users in the country
The app is used in towns and cities across the UK, with 3.5 million passengers and 40,000 drivers in London.
Sadiq Khan, the capital’s mayor, said: ‘This latest shocking development about Uber will alarm millions of Londoners whose personal data could have been stolen by criminals.
‘Uber need to urgently confirm which of their customers are affected, what is being done to ensure these customers don’t suffer adversely, and what action is being taken to prevent this happening again in the future.
‘The public will want to know how there could be this catastrophic breach of personal data security.’
An investigation has been launched by the National Cyber Security Centre – the cyber security arm of GCHQ – as well as the Information Commissioner’s Office and the National Crime Agency.
The National Cyber Security Centre urged customers to change their Uber passwords immediately and be on their guard against phishing attacks by fraudsters.
There are concerns criminals can use stolen emails, mobile numbers and names to target customers.
The US firm has revealed it paid two hackers £75,000 to keep the data breach quiet
Phishing attacks are emails which purport to be from a trusted source such as a bank.
They try to trick customers into handing over details such as bank account numbers.
The NCSC said the data gleaned from the Uber cyber attack – which also included driving licence information from drivers – ‘could be used by scammers to make phishing emails more convincing.’
James Dipple-Johnstone, deputy commissioner of the Information Commissioner’s Office, said he would expect Uber to alert everyone affected in the UK ‘as soon as possible’.
Wes Streeting, a Labour MP, said: ‘The fact that 2.7 million people in the UK had their personal details stolen is shocking in itself, but for Uber to actively conceal it for more than a year is a scandal.’
‘Customers and drivers are rightly angry that they were not notified and were denied a chance to try to protect their details. Paying off criminal hackers and hushing it up is not the behaviour of a fit and proper operator.’
‘This global mess shows Uber to be a company with rock bottom ethical standards. State authorities in the US have started to take action, and it’s high time the UK government did too.’
The app is used in towns and cities across the UK, with 3.5 million passengers and 40,000 drivers in London
Uber said it does not believe any passengers need to take any action in relation to the data breach.
The firm said in a statement: ‘We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection.’
It reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the incident did not become public.
Company executives then dressed up the breach as a ‘bug bounty’, the practice of paying hackers to test the strength of software security, according to The New York Times.
Uber chief executive Dara Khosrowshahi, who took over in August, said in a blog that the firm ‘took immediate steps to secure the data and shut down further unauthorised access’ at the time of the incident.
He went on: ‘We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.’
Mr Khosrowshahi added: ‘None of this should have happened, and I will not make excuses for it.
‘While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.’
In October Uber launched an appeal against Transport for London’s (TfL) decision to deny it a new operating licence in the capital on the grounds of ‘public safety and security implications’.