Uber says 2.7m Brits hit by breach that was covered up
Uber has revealed that 2.7 million British riders and drivers were affected by a 2016 data breach that it covered up for more than a year.
A total of 57 million worldwide had data exposed in the breach, but the firm had not specified how many were UK-based before.
The stolen information includes names, email addresses and phone numbers and – for drivers – licence numbers.
Uber should notify UK users who have been affected, the data regulator said.
According to Uber, the 2.7 million figure is “approximate rather than an accurate and definitive account” – this is because the information gathered by the firm’s app does not always specify where users live.
The BBC has asked Uber to clarify how many UK drivers are included in the 2.7 million.
The Information Commissioner’s Office (ICO) had previously said it had “huge concerns” about the breach.
Responding to the latest news, a spokesman for the ICO said: “As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised.”
“We would expect Uber to alert all those affected in the UK as soon as possible.”
‘Shocking’ development
The ICO believes the data could be used by scammers trying to target victims of the breach.
Both Uber and the ICO have directed users to advice from the UK’s National Cyber Security Centre that was published following news of the breach.
The latest development was described as “shocking” by London Mayor Sadiq Khan.
“Uber needs to urgently confirm which of their customers are affected, what is being done to ensure these customers don’t suffer adversely, and what action is being taken to prevent this happening again in the future,” he said.
When news of the breach was revealed last week, chief executive Dara Khosrowshahi said, “None of this should have happened, and I will not make excuses for it.”
The story was first broken by Bloomberg, which reported that Uber not only sought to cover up the incident but also paid hackers $100,000 (£75,000) to delete the data they had stolen.