Uber data breach includes UK users — but it’s still not clear how many

The UK’s digital minister has said the October 2016 data breach that Uber disclosed this week does affect UK users — though it’s still unclear how many are impacted at this stage.

Making a statement in parliament yesterday, Matt Hancock said:

We are verifying the extent and the amount of information. When we have a sufficient assessment, we will publish the details of the impact on UK citizens, and we plan to do that in a matter of days. As far as we can tell, the hack was not perpetrated in the UK, so our role is to understand how UK citizens are affected. We are working with the Information Commissioner’s Office and the National Cyber Security Centre, and they are talking to the US Federal Trade Commission and others to get to the bottom of things.

At this stage, our initial assessment is that the stolen information is not the sort that would allow direct financial crime, but we are working urgently to verify that further, and we rule nothing out. Our advice to Uber drivers and customers is to be vigilant and to monitor accounts, especially for phishing activity. If anyone thinks they are a victim, contact the Action Fraud helpline and follow the NCSC guidance on passwords and best practice.

On Tuesday, a year after it had learned about the breach, Uber informed the press that hackers had accessed the personal data of 57 million Uber users and drivers.

It said ~50M Uber riders were affected and around seven million drivers. Data accessed included names, email addresses and phone numbers in the case of Uber users. Some 600,000 US driver’s license numbers were also accessed. Uber has claimed no financial information leaked.

It also apparently paid $100,000 to the hackers to delete the data.

Uber also said some of the data involved users of its service outside the US, though it has not yet publicly provided a breakdown of specific affected markets.

“We do not have sufficient confidence in the number that Uber has told us to go public on it,” said Hancock, responding to questions put to him in parliament about the breach, and implying the government believes the figure Uber has provided is too small to be credible.

“We are working with the National Cyber Security Centre and the ICO [UK’s data watchdog] to have more confidence in the figure,” he continued, pointing out that in the case of the recent Equifax breach, which also affected UK users, the “initial figure suggested went up”.

“We want to get to the bottom of it and will publish further details within days, and if required I will be happy to come before the House to take further questions,” he added.

Reached for a response to Hancock’s comments, an Uber spokesperson told us he could not provide any additional information on the breakdown of the breach at this stage.

“We are in the process of notifying various regulatory and government authorities and we expect to have ongoing discussions with them. Until we complete that process we aren’t in a position to get into any more details,” he added.

Meanwhile, the European Union’s Article 29 Working Party — aka the influential data agency that’s made up of representatives from all 28 EU Member State’s national data protection bodies — said it has added the Uber data breach to its agenda for its next plenary session, due to take place on November 28 and 29.

A spokeswoman for the group told us: “It is too soon to talk about the possible actions that have to be decided by the group. The enforcement actions are still on the national level until GDPR next May (investigations, sanctions). But the plenary session could decide for example to dedicate a taskforce to coordinate the national initiatives.”

GDPR refers to the incoming General Data Protection Regulation, which comes into force across the EU in May 2018.

The regulation sets a new standard for breach disclosures — of just 72 hours after a company has become aware of an intrusion that has compromised personal data.

The new rules are also backed up by far stiffer penalties for non-compliance, including a fine of 4% of a company’s annual global turnover (or €20M, whichever is greater).

For now though, Uber faces a compliance patchwork of different national rules across any European Union countries impacted by the data breach.

In the UK, Uber could be on the hook for a fine of £500,000 if it’s found to have broken UK data protection law — aka the current maximum the ICO can leverage, ahead of new legislation currently being debated to align UK law with the incoming EU regulation.

Responding to a question on whether he believes Uber has broken current UK law, Hancock said it “would be a matter for the courts” — but added: “I think there is a very high chance that it has.”

He further revealed the government only learned about the breach via the media: “As far as we are aware, the first notification to UK authorities — whether the government, the ICO or the NCSC [National Cyber Security Centre] — was through the media,” he said.

Labour MP Wes Streeting took the opportunity to press Hancock on the government’s response to Transport for London stripping Uber of its license to operate in the city in September — a decision Uber is currently appealing.

“Does he think that a company that covers up the theft of data and pays a ransom to criminal hackers can possibly be considered a fit and proper operator of licensed minicabs in our towns and cities?” Streeting asked the minister, accusing the government of attacking London’s mayor for his support of the Uber ban.

“Given that we now know that Uber plays fast and loose with the personal data of its 57 million customers and drivers, is it not time that the government stopped cosying up to this grubby, unethical company and started standing up for the public interest?”

“Licensing taxi companies and private hire companies is rightly for local authorities. This is a data protection issue, and we are dealing with it with the utmost urgency,” responded Hancock, going on to note that the government is currently legislating for higher fines for data protection failures, in a new Data Protection Bill, as well as pointing to the incoming 72-hour breach disclosure standard which will align UK law with GDPR.

“Delaying notification is unacceptable unless there is a very good reason and is, as I said, an aggravating factor when the Information Commissioner looks into such cases,” he added.

Yesterday the ICO put out a strongly worded statement regarding the Uber breach, saying it “raises huge concerns” and warning that companies that conceal breaches can “attract higher fines”.

The Uber breach has also renewed calls for the government to rethink its approach to data redress by supporting a provision being added to the Data Protection Bill to allow independent bodies to pursue data redress on behalf of consumers.

Last month UK consumer group Which? called for the government to give independent bodies the power to seek collective redress on behalf of consumers when a company has failed to take sufficient action in the wake of a data breach.

However the government has so far opposed any such provision.

“Uber’s data breach — and the fact that it’s been hidden — will worry customers and drivers alike. It’s critical that the company does all that it can to ensure affected people get clear information about what’s happened,” said Which?’s MD of home products and services, Alex Neill, discussing the Uber breach in the Telegraph.

“Data breaches are becoming more and more common and yet the protections for consumers are lagging behind. The UK Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of affected customers when a company has failed to take sufficient action following a data breach.”

Hancock was also pressed in parliament on whether the government will now commit to reversing its opposition to collective redress — to, as one MP put it, “show that we are on the side of consumers and employers, not huge corporations that are careless with our data”.

He responded by claiming the government had rejected an amendment to include collective redress because it “pushed in the opposite direction” to the “principle” behind the Data Protection Bill which he said aims to “increase the level of consent required and people’s control over their own data”.

But he also noted that the draft bill will be debated in the House of Commons in due course — meaning there’s at least a possibility that Uber’s decision to conceal a massive data breach for so long could end up helping to bolster consumers protections in UK data protection law.

It’s even more likely to play an influential role in determining the outcome of Uber’s appeal against its London license loss.

While, over in the US, the FTC has also said it’s evaluating “serious issues” raised by the breach. And the New York AG has also launched an investigation of the $100k hack cover up.

Uber will likely soon be facing multiple class action lawsuits in the US too.