The information commissioner in the uk has “huge concerns about Uber’s data policies and ethics”, after a breach that exposed details of 57 million customers and drivers.
Uber did not tell anyone about the violation and paid a ransom to the hackers to remove the data.
Deputy commissioner James Dipple-Johnson said that these actions are unacceptable.
The ride-sharing company has a page of resources for those who may be affected.
“It is always the responsibility of the company to identify when the citizens of the uk have been affected as part of a data breach and take measures to reduce the harm to consumers. Deliberately concealing violations from regulators and the citizens could attract more fines for the companies,” Mr Dipple-Johnson said.
“If the citizens of the uk are affected, then we should have been notified so that we could evaluate and verify the impact on the persons whose data have been exposed.”
He said the Information Commissioner’s Officer (ICO) will be working with the National Cyber Security Centre (NCSC) to determine the magnitude of the violation and how it affects people in the uk, as well taking into account that the next steps are that Uber needed to take to comply “with its data protection obligations”.
The next year, the countries of the EU will radically change data protection laws to give consumers greater control over the data they share with companies.Rescue ‘amazing’
The General Data Protection Regulation (GDPR) seeks to impose heavy fines on companies that hide data breaches.
Under the new rules, companies must notify data controllers with respect to a breach within 72 hours of becoming aware of a hack.
They face fines of 4% of their global annual turnover or € 20 million (£18 million), which is more, if you are found to be in violation of the regulations.
Dean Armstrong, a cyber-law lawyer at Setfords Solicitors, said: “As Uber has not released their figures, we cannot speculate on the potential final cost of the fine, but it is fair to say that the regulator would come down hard, and under the regulations is likely to be in the tens of millions of people.
“The biggest cost for Uber however, and would be in terms of reputation, which although more difficult to quantify, of a fine could far surpass any punishment handed to them by a regulator.”
David Kennerly, director of threat research at security company Webroot, has also criticized Uber for paying a ransom to the hackers.
“Given the current climate around data security and breaches, it is surprising that Uber paid the hackers and kept the breach secret for a year.
“The fact is that there is absolutely no guarantee that the hackers do not create multiple copies of the stolen data for future extortion or to sell further down the line.”
Raj Samani, chief scientist at the security company McAfee said, as a regular user of Uber, the news made him “very angry.”
“Uber has treated its clients with a complete lack of respect,” he said.
“Millions of people will now be worrying more about what has happened to their personal data in the past 12 months, and Uber is directly responsible for this.”
“In your option not only to cover the gap, but in reality paying the hackers, Uber has directly contributed to the growth of cybercrime and the company should be responsible for this.”