GCHQ opens investigation into Uber hack ‘cover-up’
BRITAIN’S spy agencies have begun an investigation into the cover-up of a data hack of 57 million Uber customers that undermines the company’s attempts to win back its London licence.
The National Cyber Security Centre (NCSC) announced the inquiry yesterday as further details emerged of the data hack that took place a year ago, but which Uber kept secret.
The NCSC, part of GCHQ, is investigating the extent of the breach and Uber’s failure to report it to authorities at the time. The National Crime Agency (NCA), Britain’s equivalent to the FBI, is also involved, suggesting the hackers may have been British-based, while the Information Commissioner’s Office (ICO) warned that Uber faced “higher fines” for its concealment.
Meanwhile, it emerged last night that a number of customers have been billed in roubles for trips they had not taken in Moscow and St Petersburg. The charges, thought to be the result of users having their accounts hijacked, have prompted fears that Russians could be behind the hack.
It is currently unclear whether the incidents are connected, while Uber denied Russian involvement last night.
Sadiq Khan, the Mayor of London, said the cover-up was “of real concern” ahead of a legal appeal by Uber against the loss of its London licence.
The taxi-hailing app firm continues to operate in the capital, pending the appeal, which is due to start in early December. Uber was stripped of its private hire licence by Transport for London in September after it concluded the Us-based company was “not fit and proper”. The timing of the disclosure of the hack could not be worse.
Uber, which is valued at almost $70 billion (£52.6 billion), revealed on Tuesday that it had paid a $100,000 ransom (about £80,000) to two hackers who stole data about customers and drivers in Oct 2016. Uber tracked down the hackers and requested they sign non-disclosure agreements to keep the breach secret, according to The New York Times. The firm was then accused of hiding the reason for the payment by claiming it had employed the hackers to find weaknesses in computer security.
The hackers stole names, email addresses and phone numbers of 57 million customers.
Uber continued to refuse last night to disclose how many UK customers were affected. The NCSC confirmed it was investigating. A spokesman said: “Companies should always report any cyber attacks to the NCSC immediately. The more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim. We are working closely with other agencies, including the NCA and ICO.”
The ICO, the UK’S information watchdog, said it had also begun an inquiry after confirming that Uber’s British customers had been hacked.
James Dipple-johnstone, ICO’S deputy commissioner, said: “Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection.”