Uber recently admitted to a historic data breach that compromised personal data belonging to some of its 57 million users and drivers worldwide. With six million of those users in the U.K., a significant number of people in Britain are expected to be potentially at risk of further criminal activity like fraud and digital harassment.
To make matters worse, the breach happened a year ago in October 2016, but instead of telling the authorities, Uber decided to ‘handle it’ by finding the hackers and paying them off to keep quiet.
Crime and security agencies involvement
The seriousness of the breach has prompted several British intelligence and law enforcement agencies to investigate the damage. The U.K.’s National Cyber Security Centre (NCSC) are conducting an inquiry into the breach, and as part of the GCHQ intelligence service, they will be focused on the extent of the breach; Uber’s failure to disclose it; and the steps it took to potentially cover it up.
The National Crime Agency (NCA) are set to be involved in the probe as well, which suggests the hackers may have been based here in the U.K.
Regulator involvement
The Information Commissioner’s Office (ICO) as the U.K.’s data protection watchdog will be investigating Uber’s data breach. ICO deputy commissioner, James Dipple-Johnstone, said that Uber’s actions:
“…raises huge concerns around its data protection policies and ethics.”
He continued to talk about Uber’s responsibility to disclose the breach if U.K. citizens are affected by it so appropriate steps can be taken to protect victims.
The ICO has the power to fine the company up to £500,000 for violating data protection laws. Uber will no doubt be under serious scrutiny as a result of their efforts to conceal the breach and keep it hidden for a year or so.
Local government
London Mayor, Sadiq Khan, expressed his concerns over the breach, especially as it came just before Uber was set to appeal the legal decision revoking their licence to operate in London. Uber had its licence revoked earlier this September by Transport for London (TfL) after it deemed the alternative taxi service “not fit and proper” because of a number of issues.
TFL noted that the car sharing company lacked “corporate responsibility.”
The decision to silence the breach
The former head of security at Uber, Joe Sullivan, reportedly made the call to silence the hackers and sweep the breach under the carpet. Along with his deputy, instructions were apparently made to perceive that the breach conducted by the hackers was controlled and deliberate by pretending the hackers were employed to conduct penetration testing to check Uber’s security systems. Sullivan and his deputy have lost their jobs over the scandal but authorities may have more to say in regards to any alleged legal misconduct.
The NCSC has tweeted a message to Uber users and drivers, urging them to take steps in order to protect themselves:
– Be alert to phishing emails;
– Be vigilant to potential scam calls;
– Do not feel obliged to delete the app;
– Contact Action Fraud if you think you have been a victim.
Uber has admitted that it told a potential investor, SoftBank Group Corp, about the breach prior to coming clean with the public. A statement by Uber says:
“We informed SoftBank that we were investigating a data breach, consistent with our duty to disclose to a potential investor, even though our information at the time was preliminary and incomplete.”