Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

Driving Privacy Regulators Crazy: UK Probes Uber Breach

'Deliberately Concealing Breaches' Escalates Fines, Privacy Watchdog Warns
Driving Privacy Regulators Crazy: UK Probes Uber Breach
Uber competed with taxis in London until Uber's license to operate was revoked in September. (Photo: Elliott Brown, via Flickr/CC)

British regulators have launched a probe of the massive data breach suffered by taxi competitor Uber, which is scrambling to notify 57 million individuals in an unspecified number of countries that their details were exposed last year (see Uber Concealed Breach of 57 Million Accounts For A Year).

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

In a Tuesday statement, Uber CEO Dara Khosrowshahi said the breach compromised "personal information of 57 million Uber users around the world," including riders' names, email addresses and mobile phone numbers. Khosrowshahi said the breach also exposed names and driver's license numbers for 600,000 of the company's U.S.-based drivers.

In response to Uber's warning that it suffered a breach last year running from October to November, Britain's data privacy watchdog has asked: What took you so long?

"Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics," says James Dipple-Johnstone, deputy commissioner of Britain's Information Commissioner's Office. The ICO functions as the U.K.'s data privacy watchdog and has the power to impose fines of up to £500,000 ($660,000) when organizations fail to properly safeguard U.K. citizens' personal data.

The ICO's announcement adds to Uber's woes in the United Kingdom. In September, Transport for London, a local government body responsible for the transport system in greater London, revoked the company's license to operate.

Uber says it will appeal the decision. "We hope to have further discussions over the coming weeks as we are determined to make things right in London," an Uber spokesman told Reuters last month.

But London Mayor Sadiq Khan said any overturn on the ban might not occur quickly. "My understanding is that it could go on for a number of years," Khan said, the BBC reports.

Say Hello to GDPR

"Technically, there is no legal obligation under [the] DPA to notify the ICO of breaches," says U.K.-based data protection and privacy consultant Pat Walshe via Twitter. "GDPR will change that in such cases," he adds, referring to the EU's new General Data Protection Regulation.

In addition to instituting mandatory data breach notifications to authorities, under GDPR, the ICO and other country-level data privacy watchdogs will have the power to impose fines of up to 4 percent of a company's global annual profits, or €20 million ($23.5 million) - whichever is greater. Luckily for Uber, GDPR enforcement doesn't begin until May 25, 2018.

For now, the ICO says Uber should immediately share with it the particulars of its breach, which it covered up for more than a year. "It's always the company's responsibility to identify when U.K. citizens have been affected as part of a data breach and take steps to reduce any harm to consumers," Dipple-Johnstone says. "If U.K. citizens were affected, then we should have been notified so that we could assess and verify the impact on people whose data was exposed."

The ICO says it will work with Britain's national incident response agency, the National Cyber Security Center, which is part of intelligence agency GCHQ, as well as other agencies and regulators abroad "to determine the scale of the breach, how it has affected people in the U.K. and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations."

The biggest fine ever imposed by the ICO was on London telecommunications firm TalkTalk over a devastating breach it suffered in October 2015. The ICO slammed TalkTalk with a record-setting £400,000 ($530,000) fine after its investigation found that TalkTalk violated the U.K.'s Data Protection Act by failing to put proper security measures in place to safeguard user data.

The ICO said it didn't impose the maximum possible fine because TalkTalk cooperated fully with its investigation, notified its customers quickly about the breach and also offered 12 months of free credit monitoring. The ICO also said TalkTalk had immediately taken appropriate remedial action to prevent a recurrence of the circumstances that led to the breach.

Warning: Concealment Triggers Higher Fines

Commenting on Uber, however, the ICO says that the one-year delay between the ride-hailing service discovering the breach and issuing its first public warning to breach victims is cause for concern.

"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies," Dipple-Johnstone says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.