Uber Data Breach Includes 57 million UK Users and Drivers

Uber CEO Dara Khosrowshahi

Following a string of scandals and mounting shareholder pressure, Travis Kalanick resigned his role as Uber CEO in June.

After Uber revealed that it paid hackers $100,000 to keep quiet about stealing the personal information of 57 million customers and drivers, the company is now facing at least three potential class action lawsuits and separate investigations by the attorneys general of New York, Missouri, Massachusetts, Connecticut, and IL.

Uber has form. In January it was fined $20,000 for failing to disclose a considerably less serious breach in 2014.

epa06219374 An Uber app on a mobile telephone in central London, Britain, 22 September 2017.

James Heath, of Atkins Thomson solicitors, said the firm had received a number of enquiries from troubled Uber customers regarding the massive data breach in 2016. "However, once our internal inquiry concluded and we had a more complete understanding of the facts, we disclosed to regulators and our customers in a very public way".

Softbank is seeking a deal which would amount to a 14% stake in the privately-held Uber. Khosrowshahi then outlined steps taken by the company following the discovery of the attack.

Uber declined to comment on that report.

Khosrowshahi, who joined the company in August, said: "You may be asking why we are just talking about this now, a year later".

"We are working with the NCSC plus other relevant authorities in the United Kingdom and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations", Dipple-Johnstone said. The company also says that it paid the two individuals responsible for the attack $100,000 in order to delete the stolen data and remain quiet.

Its delay in informing the public - and the unusual move of paying off hackers- had already raised the ire of some regulators. On Wednesday, the Attorney General of Missouri - one of the states now probing Uber - sent the company a letter demanding that it immediately notify all affected customers and implement procedures aimed at preventing future data breaches.

"By virtue of its operations and processing of Filipino end user data, Uber is considered a Personal Information Controller and must comply with Philippine data privacy and protection laws", the National Privacy Commission said. According to Bloomberg, which first broke the story, Joe Sullivan, Uber's chief security officer, lead the response to the hack and Craig Clark, the legal director of security and law enforcement who reported directly to Sullivan, also knew about the breach.

Sense of Security chief technology officer Jason Edelstein said greater attention needed to be paid to "properly" enforcing the regulations when introduced, as having even basic personal information stolen could have dire consequences for consumers.

For that reason, Uber will now pay for free credit-report monitoring and identity theft protection services for the affected drivers.



Other news