- Uber on Tuesday revealed that it had covered up a data breach that took place in 2016, affecting 57 million users.
- The company failed to tell authorities around the world and, according to Bloomberg, paid $US100,000 to the hackers to cover up the breach, which included names, emails, and phone numbers.
- UK authorities have said British users were affected but haven’t said how many.
- The UK’s digital minister, Matt Hancock, said the company probably broke the law – the most damning statement yet from the government.
The questions are piling up on Uber about a data breach that put at least 57 million users at risk but wasn’t disclosed by the company.
The ride-hailing company is now under investigation in the US, the UK, and other countries for failing to disclose the hack to authorities and apparently paying hackers to cover up the breach.
Now the UK’s digital minister, Matt Hancock, has given the most damning official statement yet on the breach by suggesting the company broke the law by failing to disclose.
Hancock made the comments in Parliament on Thursday. Asked by Labour MP Kevin Brennan whether Uber had broken the law in relation to the breach, Hancock responded that Brennan “asked whether this is illegal under current UK law – that of course is matter for the courts, but I think there’s a very high chance that it is.”
Neither Hancock nor Brennan went into further detail.
Uber did not specifically respond to Hancock’s comments but said in a statement: “We are in the process of notifying various regulatory and government authorities and we expect to have ongoing discussions with them. Until we complete that process we aren’t in a position to get into any more details.”
Hancock added that it’s an “aggravating factor” if a company gets hacked but doesn’t tell authorities immediately. That can potentially lead to higher fines, though in the case of the UK’s data authority, that’s only a maximum of £500,000, or $US665,000. Bloomberg on Tuesday reported that Uber had paid the attackers a $US100,000 ransom.
“Delaying notification is not acceptable,” Hancock said.
The UK’s data watchdog, the Information Commissioner’s Office,has already said it will investigate the breach.
We still don’t know how many British users were affected
The ICO has confirmed British users were affected by the hack but hasn’t yet given an estimate on how many.
According to Hancock, Uber has handed over information on how many of its UK users were affected by the hack.
But he said the government didn’t fully trust the figures.
He said: “In terms of the number, we do not have sufficient confidence in the number we have been told by Uber to go public. We’re working with the [National Cyber Security Centre] to have more confidence in that figure.”
Hancock pointed out that the number of customers affected by the hack on the US consumer-data giant Equifax turned out to be bigger than originally estimated. The government says it plans to publish its findings in “a matter of days.”
It also turns out that the government found out about the hack only from media reports on Tuesday, with Uber giving statements to the press before speaking with UK authorities, Hancock said.
“Uber had failed to tell the UK authorities before they spoke to the media,” he said.
“As far as we can tell, it was not a hack perpetrated in the UK. Our role is therefore to at this stage is to understand how UK citizens were affected. We are working with the ICO and the NCSC, and they are talking to the [Federal Trade Commission] and others to get to the bottom of this.”
Hancock added that it seemed unlikely that any of the stolen information could be used to steal customers’ money.
“At this stage, our initial assessment for Uber customers … the stolen information is not the sort of information that would allow direct financial crime.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.