The UK’s information commissioner has “huge concerns about Uber’s data policies and ethics” following a breach that exposed the details of 57 million customers and drivers.
Uber did not tell anyone about the breach and paid a ransom to hackers to delete the data.
Deputy commissioner James Dipple-Johnson said these actions were unacceptable.
The ride-sharing company has a resource page for those who may be affected.
“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” Mr Dipple-Johnson said.
“If UK citizens were affected, then we should have been notified so that we could assess and verify the impact on people whose data was exposed.”
He said the Information Commissioner’s Officer (ICO) would work with the National Cyber Security Centre (NCSC) to determine the scale of the breach and how it affected people in the UK, as well considering the next steps that Uber needed to take to comply “with its data protection obligations”.
Next year, EU countries will radically alter data protection laws to offer consumers greater control over the data they share with companies.
The General Data Protection Regulation (GDPR) aims to impose huge fines on companies that conceal data breaches.
Under the new rules, companies have to notify data regulators about a breach within 72 hours of becoming aware of a hack.
They face fines of 4% of their global annual turnover or 20 million euros (£18m), whichever is higher, if they are found to be in breach of the regulations.
Dean Armstrong, a cyber-law barrister at Setfords Solicitors, said: “As Uber hasn’t released its figures, we can’t speculate as to the potential final cost of the fine, but it is fair to say the regulator would come down hard and under the regulations it would likely be in the tens of millions.
“The greater cost to Uber however would and will be in terms of reputation, which although harder to quantify than a fine could far outstrip any penalty handed to them by a regulator.”
David Kennerly, director of threat research at security company Webroot, criticised Uber for paying a ransom to the hackers.
“Given the current climate around data security and breaches, it is astonishing that Uber paid off the hackers and kept this breach under wraps for a year.
“The fact is there is absolutely no guarantee the hackers didn’t create multiple copies of the stolen data for future extortion or to sell on further down the line.”
Raj Samani, chief scientist at security company McAfee said, as a regular Uber user, the news made him “incredibly angry”.
“Uber has treated its customers with a complete lack of respect,” he said.
“Millions of people will now be worrying over what has happened to their personal data over the past 12 months, and Uber is directly responsible for this.”
“In opting to not only cover up the breach, but actually pay the hackers, Uber has directly contributed to the growth of cybercrime and the company needs to be held accountable for this.”