UK authorities were unaware of a mass data breach at Uber that potentially saw British customers’ personal details fall into the hands of cyber criminals.
Downing Street said the hack, which affected 57 million customers and drivers worldwide, had not been reported by the taxi-hailing firm after it hushed up the scandal.
Security services and the information watchdog have been left scrabbling to assess the scale of the damage amid warnings Uber’s secrecy could result in ‘higher fines’.
Downing Street said the hack had not been reported by the taxi-hailing firm after it hushed up the scandal
Uber said it could not yet confirm how many customers in the UK had their details compromised.
News of the hack came in an extraordinary admission by the US firm’s chief executive on Tuesday, revealing a third-party server had been infiltrated in late 2016.
A ransom of 100,000 US dollars (£75,500) had been paid to hackers so they would delete the data and keep the security lapse quiet.
Stolen information included names, email addresses and mobile phone numbers, as well as the names and number plates of 600,000 drivers in the US.
Prime Minister Theresa May’s official spokesman said: ‘These are obviously concerning reports and the National Cyber Security Centre is working closely with domestic and international agencies, including the National Crime Agency and the Information Commissioner’s Office, to investigate if and how this breach has affected people in the UK.
‘It is a worldwide incident and it is unclear at this stage which countries were affected by the hack.
Uer chief executive Dara Khosrowshahi said there was ‘no indication’ trip history, credit card details, bank account numbers or dates of birth were downloaded by the hackers
‘What we do know is, based on current information, we have not seen evidence that financial details have been compromised.’
He added that Uber ‘did not notify individuals in the UK, the UK Government or UK regulators’ at the time the hack was discovered in October last year.
The Information Commissioner’s Office (ICO) warned Uber it could face fines, saying the incident raised ‘huge concerns around its data protection policies and ethics’.
The tech company reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the incident did not become public.
James Dipple-Johnstone, deputy information commissioner, said the breach raises ‘huge concerns’
Company executives had then dressed up the breach as a ‘bug bounty’, the practice of paying hackers to test the strength of software security, according to The New York Times.
James Dipple-Johnstone, deputy commissioner of the information watchdog, said: ‘Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.
‘It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.
‘If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.
He added: ‘Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.’
Uber chief executive Dara Khosrowshahi, who took over in August, said in a blog there had been ‘no indication’ trip history, credit card details, bank account numbers or dates of birth were downloaded by the hackers.
He wrote: ‘At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals.
‘We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.’
Affected accounts have been flagged for additional fraud protection, Mr Khosrowshahi said.
‘None of this should have happened, and I will not make excuses for it,’ he wrote.
‘While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.’
Data protection lawyers at the Leigh Day legal firm said a ‘huge number of claims’ could be brought against Uber by its customers as a result of the security failing.