Uber concealed colossal data breach

27 November 2017

The company Uber has confirmed that they concealed a global breach that affected the personal information of 57 million customers and drivers.

In a report from The Telegraph, of the 57 million, 600,000 drivers were affected, with their names and licence details downloaded by the hackers in the cyber attack. Uber said outside forensics "have not seen any indication that trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth were downloaded".

Uber did not notify individuals or regulators last year at the time of the breach, in October, despite having been in talks with US regulators over separate claims of privacy violations.

Instead of reporting the hack, it said it took immediate steps to secure the data and shut down further unauthorised access by those individuals. The company paid the hackers £75,000 to delete the stolen data.

Dara Khosrowshahi who was appointed as CEO in September recently said in a statement "You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it…None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,"

Uber’s chief security officer, Joe Sullivan, and one of his deputies have been fired for their roles in covering up the breach.

CIPP comment

GDPR (General Data Protection Regulation) should be on the radar of all businesses – it comes in to force on 25 May 2018 and applies to all EU and foreign companies that offer services to individuals in the EU (regardless of what happens with the Brexit negotiations). This report about Uber acts as a timely reminder - sanctions for non-reporting of a data breach under GDPR are steep – up to approximately £7m or 2% of global turnover, whichever is greater.

The CIPP’s Policy News Journal (a benefit for members only) contains all the latest information on GDPR – go to My CIPP on our website to access the journal.

The CIPP also run a half day training course which will help delegates understand and prepare for the changes, including how they affect payroll and HR functions, so that they can help their organisations become fully compliant by May 2018.