Latest ICO statement on Uber data breach
UPDATE: Wednesday 29 November 2017
James Dipple-Johnstone said:
“Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK.
“Uber has said the breach involved names, mobile phone numbers and email addresses.
“On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the NCSC.
“As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised.
“We would expect Uber to alert all those affected in the UK as soon as possible.
“We are continuing to work with the NCSC plus other relevant authorities in the UK and overseas to ensure the data protection interests of UK citizens are upheld.”
Wednesday 22 November 2017, 5.35pm
James Dipple-Johnstone said:
“We can confirm that UK citizens have been affected by the data breach involving Uber last October.
“As UK citizens would expect, the ICO is in direct contact with the company to establish the numbers and what kind of personal data may have been compromised.
“We are working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.
“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”
Wednesday 22 November 2017, 10am
James Dipple-Johnstone, ICO Deputy Commissioner said:
“Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.
“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.
“We’ll be working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, how it has affected people in the UK and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”