Brit regulators, security agencies and MPs have slammed Uber for covering up the massive data breach of 57 million customer and driver records.
The UK's data protection watchdog said that yesterday's revelations about the breach "raises huge concerns around [Uber's] data protection policies and ethics".
Uber has yet to break down the numbers of affected customers on a country-by-country basis – other than to say that 600,000 US drivers' information was leaked – so it isn't clear how many UK employees or customers are at risk.
Deputy information commissioner James Dipple-Johnstone said that if UK citizens had been affected then his organisation "should have been notified so that we could assess and verify the impact on people whose data was exposed".
Deputy Labour leader Tom Watson echoed his concerns about the way the taxi biz handled the breach, saying it raised questions about Uber's "culture and internal practices".
In an open letter to CEO Dara Khosrowshahi, shared on Twitter, Watson lambasted Uber for failing to notify customers, observing that it seems perfectly capable of contacting them when it benefits the biz.
"I note that when Transport for London announced that they would not be renewing Uber's licence to operate... Uber emailed its customers to ask them to protest against this decision on the very same day," Watson wrote.
He also posed a list of questions drilling into who was aware of the breach, in addition to the two employees that have been jettisoned from the firm.
I’m shocked at news that Uber concealed a data breach that affected 57 million customers and drivers. I’ve written to their CEO. pic.twitter.com/7dDbUYV0f1— Tom Watson (@tom_watson) November 22, 2017
The ICO, the National Crime Agency and the National Security Centre said they were working together to investigate how the breach has affected UK customers.
The agencies pointed out that firms have a duty to 'fess up to breaches so they can work together to tackle the breach and limit the harm to customers.
The ICO also indicated that deliberately concealing breaches "could attract higher fines". Although, as many have noted, the revelation from Uber has come before the EU's new General Data Protection Regulation – and its maximum €20m/£17m fine – kicks in next year.
Uber could not immediately offer any more information on the number of UK users or drivers affected; who was responsible for ensuring Uber complied with UK data protection law at the time of the breach; or when UK regulators and customers would been contacted. ®