“None of this should have happened, and I will not make excuses for it,” Uber Chief Executive Dara Khosrowshahi said, as he acknowledged both the breach and the subsequent cover-up.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Khosrowshahi also said that the “failure to notify affected individuals or regulators” had prompted him to take a number of steps, including the dismissal of two of the employees responsible for Uber’s response in 2016.
Chris Hoofnagle of the Berkeley Center for Law and Technology described the company’s failure to disclose the breach as “amateur hour.”
He told the Guardian: “The only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach.”
It had already been announced that the New York State Attorney General’s office had opened an investigation into the data breach and others are likely to follow suit. The Uber customers and drivers affected were not only based in the US, however. Earlier this week, the company said that it estimated that 2.7 million people in the UK could have been affected, and yesterday it was confirmed that the EU’s data protection watchdogs had launched their own taskforce to look into the breach and Uber’s subsequent actions.
What are the implications for Uber users? While the company confirmed that many UK users had been affected, it added that the 2.7 million figure was an “approximation rather than an accurate and definitive count.”
It had previously been reported that the hackers had obtained personal data, including names, email addresses and phone numbers, as well as the names and driver’s licence numbers of around 600,000 drivers in the US.
In a statement on the “Help” section of its website, however, Uber claimed that more sensitive financial information had not been compromised.
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers or dates of birth were downloaded,” it said.
“When [the breach] happened, we took immediate steps to secure the data, shut down further unauthorised access, and strengthen our data security.”
The UK’s Information Commissioner’s Office (ICO) said that it was still waiting for confirmation on the details of the breach.
ICO Deputy Commissioner James Dipple-Johnstone said: “On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the National Cyber Security Centre (NCSC).
“As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised.
“We are continuing to work with the NCSC plus other relevant authorities in the UK and overseas to ensure the data protection interests of UK citizens are upheld.”
What could happen to Uber? The breach and, in particular, Uber’s subsequent handling of it could mean big trouble for the company.
The EU taskforce will be led by the Dutch Data Protection Authority as Uber’s European HQ is based in the Netherlands. Its remit has not yet been made public, but Uber is perhaps fortunate that the EU’s General Data Protection Regulation (GDPR), which vastly increases legal sanctions, does not come into force until next May.
Speaking at a data protection conference in Brussels yesterday, European Justice Commissioner Vĕra Jourová said that the GDPR would “allow us to respond adequately to such irresponsible behaviour.”
In the US, the Guardian suggests that Uber could potentially face numerous civil liability lawsuits, while in the UK, London Mayor Sadiq Khan weighed into the row.
“This latest shocking development about Uber will alarm millions of Londoners whose personal data could have been stolen by criminals,” Khan said.
“Uber needs to urgently confirm which of their customers are affected, what is being done to ensure these customers don’t suffer adversely, and what action is being taken to prevent this happening again in the future.”
Just over a week ago, Bloomberg broke the news that taxi disruptors Uber had suffered its own disruption in the shape of a huge data breach affecting some 57 million customers and drivers. What’s more, the breach was not a recent event. The attack had taken place in October 2016, and Uber paid the hackers $100,000 in an attempt to keep the incident under the radar.
Read more of our latest Industry Updates news stories
