After reports emerged that Uber had suffered a massive data breach, the UK's Information Commissioner's Office (ICO) has said it has "huge concerns" about the company's data protection policies and has confirmed it has launched its own investigation into Uber's decision to cover it up.
The ride-hailing company confirmed yesterday that a hack in October 2016 affected as many as 57 million customers. Names, email addresses and phone numbers were stolen in the attack, but Uber kept details of the breach secret, choosing instead to pay the hackers $100,000 to delete the information.
"Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics," said James Dipple-Johnstone, ICO Deputy Commissioner. "It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed."
It's the Information Commissioner's Office's job to ensure that companies operating in the UK are protecting the data of its citizens. It has the power to issue fines if safeguards are found to be inadequate and can increase penalties if an organisation has purposefully hidden a data breach.
In a statement, Uber's new CEO, Dara Khosrowshahi, didn't attempt to defend the company's actions: '"None of this should have happened, and I will not make excuses for it. While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
Its first steps were to fire chief security officer Joe Sullivan and senior lawyer Craig Clark for their roles in concealing the hack. The company has also brought in former National Counterterrorism Center director Matt Olsen to help restructure security processes and has stepped up its fraud monitoring for the affected accounts.
The ICO will now gather data from the UK's National Cyber Security Centre and other local authorities to assess the scale of the breach and identify how many UK customers were affected. The New York Attorney General also confirmed that his office will also conduct an investigation into Uber's non-compliance.