November 24, 2017 // 11:05 a.m.
The Information Commissioner's Office (ICO) has confirmed that the data breach which was revealed by transport company Uber this week includes an as-yet undisclosed number of UK citizens, while further evidence emerges of the company's chief executive's prior knowledge of the attack.
Announced more than a year after it was first discovered by the company, the attack on Uber's systems disclosed the personal details of 56 million customers and a further 600,000 drivers. At the time, Uber chief executive Dara Khosrowshahi claimed that while the breach had been discovered in October 2016 - then, sources have claimed, covered up by the company's chief security officer and then-chief executive, including the payment of a $100,000 ransom to the attackers in the guise of a 'bug bounty' payout to legitimately hired security contractors - he had only been informed shortly prior to the public announcement, a claim upon which sources are now casting doubt.
The Wall Street Journal has published a story claiming that Khosrowshahi was informed of the breach back in September, two weeks after taking on the role of chief executive, but failed to warn customers until late November. Bloomberg has added weight to this claim with its own report, confirmed by Uber, that the company disclosed the breach to potential investor SoftBank prior to its public disclosure.
UK customers of the app-based 'gig economy' private hire platform, meanwhile, have been confirmed as affected by the breach. 'We can confirm that UK citizens have been affected by the data breach involving Uber last October,' deputy information commissioner James Dipple-Johnstone has announced in a statement on the breach. 'As UK citizens would expect, the ICO is in direct contact with the company to establish the numbers and what kind of personal data may have been compromised.
'We are working with the NCSC [National Cyber Security Centre] plus other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations. It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.
'Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,' Dipple-Johnstone warned, a sentiment echoed by minister for digital Matt Hancock who has opined that there is a 'very high chance' that the company's actions to hide the breach are illegal under UK law.