Uber urged to contact 2.7 million UK users affected by data breach
Hackers were able to obtain the names, email addresses and mobile phone numbers of passengers and drivers, the taxi-hailing firm said.
Uber has been urged to contact the 2.7 million UK users of its app who have been affected by a mass data breach “as soon as possible”.
Hackers obtained personal details of 57 million customers and drivers worldwide, but it is the first time the impact on the UK has been disclosed.
The culprits obtained people’s names, email addresses and mobile phone numbers, the taxi-hailing firm said.
The UK’s information watchdog warned that this could make “other scams, such as bogus emails or calls, appear more credible” and called for Uber to alert everyone affected in the UK “as soon as possible”.
Third-party investigators have found no indication that financial details, journey histories and dates of birth were downloaded, according to Uber.
It did not initially report the scandal, which happened in late 2016.
News of the hack came in an extraordinary admission by the US firm’s chief executive on November 21, revealing a server had been infiltrated.
A ransom of 100,000 US dollars (£75,500) had been paid to hackers so they would delete the data and keep the security lapse quiet.
The app is used in towns and cities across the UK, with 3.5 million passengers and 40,000 drivers in London.
Sadiq Khan, the capital’s mayor, said: “This latest shocking development about Uber will alarm millions of Londoners whose personal data could have been stolen by criminals.
“Uber need to urgently confirm which of their customers are affected, what is being done to ensure these customers don’t suffer adversely, and what action is being taken to prevent this happening again in the future.
“The public will want to know how there could be this catastrophic breach of personal data security.”
In October Uber launched an appeal against Transport for London’s (TfL) decision to deny it a new operating licence in the capital on the grounds of “public safety and security implications”.
Uber said it does not believe that any passengers need to take any action in relation to the data breach.
TfL has informed Uber that it will not be issued with a private hire operator licence pic.twitter.com/rskozKoaL6— Transport for London (@TfL) September 24, 2017
The firm said in a statement: “We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection.”
It reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the incident did not become public.
Company executives then dressed up the breach as a “bug bounty”, the practice of paying hackers to test the strength of software security, according to The New York Times.
.@UberUK have said a data breach in 2016 affected around 2.7m accounts in the UK https://t.co/IbhEWkkDCj. @ICOnews and @ncsc have responded and @MattHancock has updated parliament https://t.co/c6GaIrg0YZ— DCMS (@DCMS) November 29, 2017
Uber chief executive Dara Khosrowshahi, who took over in August, said in a blog that the firm “took immediate steps to secure the data and shut down further unauthorised access” at the time of the incident.
He went on: “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
Mr Khosrowshahi added: “None of this should have happened, and I will not make excuses for it.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”