The ICO and the NCSC are spearheading an investigation into a massive data breach that Uber suffered last year to identify the scale of the breach and the number of Britons affected by it.
The Information Commissioner’s Office (ICO) said Uber may attract huge fines for deliberately concealing the breach both from citizens and regulators.
Yesterday, Uber’s new CEO Dara Khosrowshahi revealed to the rest of the world that several of the the company’s top executives had conspired to hide a massive data breach incident from the public and had even paid off a couple of hackers to erase any evidence of the breach.
As revealed by Khosrowshahi, the data breach compromised names and driver’s license numbers of around 600,000 drivers in the United States, as well as personal information of 57 million Uber users around the world, including names, email addresses and mobile phone numbers.
That Uber went to such great lengths to conceal a cyber incident that compromised personal information of as many as 57 million customers, 50 million of them being Europeans, has not left regulators and privacy watchdogs amused.
Giving Uber a taste of things to come, the Information Commissioner’s Office has stated that the ride-hailing service, whose license to operate in the UK was revoked recently, may face huge fines for deliberately concealing the breach from citizens and regulators.
The ICO is now working with the National Cyber Security Centre and other authorities to determine the scale of the breach, how many British citizens were affected, and what can be done to minimise the impact of the breach.
‘We can confirm that UK citizens have been affected by the data breach involving Uber last October. As UK citizens would expect, the ICO is in direct contact with the company to establish the numbers and what kind of personal data may have been compromised,’ said James Dipple-Johnstone, deputy commissioner, ICO.
‘We are working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.
‘It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,’ he added.
Even though Uber is aiming to clean up the mess it caused and has left no stones unturned to apologise profusely to the public for its prior conduct, the companywill face dire consequences for its actions once the General Data Protection Rules (GDPR) comes into play in the UK and Europe next year.
‘While the hack occurred in North America, the regulations will apply to any EU citizen’s data. Assuming that at least some of the 50 million records hacked were of EU citizens, then under the new rules GDPR would potentially see Uber punished under EU regulation,’ said Dean Armstrong QC, Cyber Law Barrister at Setfords Solicitors.
‘GDPR is a declaration that personal data is sacrosanct, and that organisations will be held to account if they misuse, abuse or conceal attacks on it. If Uber wants to continue its rise across Europe it has to reverse its attitude to hacks, come clean and work tirelessly to make its protections and reporting systems watertight.
‘It has much work ahead of it, but perhaps this lesson will finally signal to other organisations that law-makers, and the public have had enough of poor data protection provision,’ he added.