2.7 million UK Uber users affected by mass data breach

Updated: 
UBER-BRITAIN/

Uber has revealed that 2.7 million UK users of its app have been affected by a mass data breach.

Hackers were able to obtain the names, email addresses and mobile phone numbers of passengers and drivers, the taxi-hailing firm said.

Third-party investigators have found no indication that financial details, journey histories and dates of birth were downloaded, according to Uber.

Downing Street said last week that the cyber attack, which affected 57 million customers and drivers worldwide, was not initially reported by the company after it hushed up the scandal.

News of the hack came in an extraordinary admission by the US firm's chief executive on November 21, revealing a server had been infiltrated in late 2016.

A ransom of 100,000 US dollars (£75,500) had been paid to hackers so they would delete the data and keep the security lapse quiet.

The app is used in towns and cities across the UK, with 3.5 million passengers and 40,000 drivers in London.

Sadiq Khan, the capital's mayor, said: "This latest shocking development about Uber will alarm millions of Londoners whose personal data could have been stolen by criminals.

"Uber need to urgently confirm which of their customers are affected, what is being done to ensure these customers don't suffer adversely, and what action is being taken to prevent this happening again in the future. The public will want to know how there could be this catastrophic breach of personal data security."

In October Uber launched an appeal against Transport for London's (TfL) decision to deny it a new operating licence in the capital on the grounds of "public safety and security implications".

Uber said it does not believe that any passengers need to take any action in relation to the data breach.

The firm said in a statement: "We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection."

It reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the incident did not become public.

Company executives then dressed up the breach as a "bug bounty", the practice of paying hackers to test the strength of software security, according to The New York Times.

Uber chief executive Dara Khosrowshahi, who took over in August, said in a blog that the firm "took immediate steps to secure the data and shut down further unauthorised access" at the time of the incident.

He went on: "We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed."

Mr Khosrowshahi added: "None of this should have happened, and I will not make excuses for it. While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."