Uber says 2.7 million UK users were affected by 2016 data breach

Uber has revealed that 2.7 million of its UK users were affected by the 2016 breach it revealed last week. 

Until now Uber hasn’t been able to offer a country-by-country breakdown of the 57 million people it said were affected by the 2016 breach, but has now confirmed 2.7 million UK users were affected. 

The company has been widely criticized for hiding the October 2016 breach from users and regulators. Uber paid the hackers $100,000 to delete the data, which it claims they actually did. The hackers accessed Uber's AWS-hosted servers after acquiring a security key from Uber's repository on GitHub. Seven million drivers were among the 57 million affected. 

The UK’s Information Commissioners Office (ICO) last week said Uber’s decision not to report the breach raised “huge concerns around its data protection policies and ethics”.  

Details exposed in the breach included names, mobile phone numbers and email addresses of UK users, which the ICO believes is a minor threat to people.

“On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the NCSC,” James Dipple-Johnstone, deputy commissioner of the ICO, said today. 

The National Cyber Security Centre (NCSC) agreed the exposed information posed little threat, but as a matter of precaution has advised all Uber users to change passwords used for Uber accounts and other accounts the password was reused.

“We assess that the stolen information does not pose a direct threat to people or allow direct financial crime. Indications are that the breach involved user names, email addresses and mobile phone numbers,” the NCSC said.

However, Uber is yet to provide the ICO and NCSC with technical reports that would allow them to fully confirm the number of people affected and the type of data that was exposed. Uber also needs to notify affected users.

“We would expect Uber to alert all those affected in the UK as soon as possible,” added Dipple-Johnstone. 

The company offered the updated UK information on the support page it originally published details of the breach on.  

Uber says the UK figure is an "approximate rather than an accurate and definitive account”, according to the BBC. 

Matt Hancock, the UK’s Minister of State for Digital, has also informed the UK parliament about the impact to UK citizens. 

"The Government expects Uber to respond fully to the incident with the urgency it demands and to provide the appropriate support to its customers and drivers in the UK. Uber users should continue to be vigilant and follow the advice from the NCSC, which can be found on their website,” he said. 

Hancock, like regulators, first learned of the breach through the media.  

The UK is introducing new data protection laws in line with EU’s General Data Protection Regulation which allow the ICO to issue fines of up £18 million or four per cent of global turnover. 

The Office of the Australian Information Commissioner is also seeking information from Uber. The company has not yet revealed how many Australians were affected. 

CSO Australia has asked the OAIC and Uber for an update.

Australia’s own data breach notification scheme finally begins in February 2018, which will require companies to notify people affected if they could be harmed by a data breach. 

In the US, Uber faces a number of lawsuits over the breach. Washington State Office of the Attorney General yesterday filed a multimillion dollar consumer protection lawsuit. The state’s laws require that the AG and consumers must be notified within 45 days of a breach that affects more than 500 of its residents. The lawsuit seeks penalties of $2,000 per person it failed to notify in the state.