Uber admitted to covering up massive data breach

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

Earlier today (Wednesday), the U.K. Information Commissioner’s Office said that Uber’s admission over the hack “raises huge concerns around its data protection policies and ethics.” 

“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers,” said deputy commissioner James Dipple-Johnstone.

“If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.”

He said that the ICO would be working with the National Cyber Security Centre (NCSC) and other relevant British and international authorities to determine the scale of the breach, and the extent to which it has affected people in the United Kingdom.

Dipple-Johnstone said that the ICO and other agencies would also determine what steps need to be taken by Uber to ensure it fully complies with its data protection obligations.

“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” he added.

A spokesperson for the NCSC, an arm of GCHQ, said companies must report any cyberattacks “immediately.”

“The more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim,” he added.

“We are working closely with other agencies including the NCA and ICO to investigate how this breach has affected people in the U.K. and advise on appropriate mitigation measures.

“Based on current information, we have not seen evidence that financial details have been compromised.”

Bloomberg reports that the Uber’s Chief Security Officer Joe Sullivan and an associate lost their jobs because they sought to keep it quiet.

The Independent notes that the EU-wide General Data Protection Regulation (GDPR) will punish companies attempting to conceal breaches after it comes into force in May.

The law, which the U.K. will keep after Brexit, will impose fines of up to €20 million or 4 percent of the company’s global annual turnover – whichever is higher.

Proponents say it will harmonize national laws and “protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” 

Around 1.8 million cyber-enabled crimes took place in England and Wales last year, mostly involving fraud for profit, but also including disruption and data breaches perpetrated by hostile states such as Russia, Iran, and North Korea.