Cyber experts assessing how many UK users affected by Uber hack

Investigators are working to establish how many British Uber customers had personal information hacked during a mass data breach covered up by the taxi-hailing firm.

The Information Commissioner's Office (ICO) warned Uber it faced "higher fines" for concealing details of the hack, which affected 57 millions drivers and customers worldwide.

In an extraordinary admission made by the US firm's chief executive on Tuesday, it was revealed a third-party cloud-based service had been infiltrated by cyber criminals.

Dara Khosrowshahi, who took over in August, said two individuals outside the company "inappropriately accessed user data" in late 2016.

This included names, email addresses and mobile phone numbers, as well as the names and number plates of 600,000 drivers in the US.

Uber suppressed the incident by paying 100,000 US dollars (£75,500) to hackers so they would delete the data and keep the breach quiet, Bloomberg reported.

The ICO has been working alongside the National Cyber Security Centre (NCSC) to assess the scale of the problem for British users.

James Dipple-Johnstone, deputy commissioner of the information watchdog, said: "Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.

To view this content, you'll need to update your privacy settings.
Please click here to do so.

"It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.

"We'll be working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, how it has affected people in the UK and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.

"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies."

Mr Khosrowshahi said there had been "no indication" trip history, credit card details, bank account numbers or dates of birth were downloaded by the hackers.

He wrote in a blog post: "At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed."

Uber reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the breach did not get out.

The New York Times said company executives had then dressed up the breach as a "bug bounty", the practice of paying hackers to test the strength of software security.

Affected accounts have been flagged for additional fraud protection, Mr Khosrowshahi said.

"None of this should have happened, and I will not make excuses for it," he wrote. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."