Uber data breach “raises huge concerns”, says UK watchdog

The fallout from Uber’s disclosure yesterday of a massive data breach affecting 57 million users and drivers that it concealed for a year continues: The UK’s data protection watchdog has put out a strongly worded statement saying the company’s announcement “raises huge concerns around its data protection policies and ethics”.

It has also warned that deliberately concealing breaches from regulators and citizens “could attract higher fines”.

It’s not yet clear exactly how many UK Uber users have been directly affected by the October 2016 breach — although Uber disclosed yesterday that some international users are affected.

At the time of writing the company has not responded to requests for a more detailed breakdown of which markers are affected by the breach, including whether UK Uber users’ data was compromised.

In a blog post yesterday Uber said that “some personal information of 57 million Uber users around the world” had been in the files downloaded by hackers, including “names, email addresses and mobile phone numbers”.

“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” it added.

The UK regulator’s remarks are a clear warning shot for a company that has already been censured by a US federal agency on data security and privacy grounds — agreeing in August to 20 years of privacy audits by the FTC to settle a probe into privacy and security complaints that pre-date this new and larger data breach.

The comments are also significant because Uber is currently appealing a decision this September by London’s transport regulator to strip it of its license to operate in the UK capital. (Though it can, and is, continuing to operate in the city during the appeals process.)

Among Transport for London’s cited concerns for withdrawing licensing from Uber is its approach to explaining its use of internal software, Greyball — which Uber used in the US to try to monitor and block regulatory bodies from gaining full access to its app, in an attempt to sidestep regulators and law enforcement agencies. Earlier this year the DoJ was reported to be investigating Uber’s use of Greyball.

It is also facing a string of other federal probes relating to various aspects of its business operations.

Here’s the full statement on the Uber breach from ICO deputy commissioner James Dipple-Johnstone:

Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.

It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.

We’ll be working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, how it has affected people in the UK and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.

Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.

The UK’s National Cyber Security Centre, a branch of the GCHQ domestic intelligence agency, has also put out a statement about the Uber breach, in which it says: “Companies should always report any cyber attacks to the NCSC immediately. The more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim.”

The agency also notes that it’s working closely with the UK’s National Crime Agency and the ICO to investigate “how this breach has affected people in the UK and advise on appropriate mitigation measures”.

“Based on current information, we have not seen evidence that financial details have been compromised,” the NCSC adds.