Up to 5m UK Uber users’ data stolen by hackers
App bosses hushed up attack after paying £75,000 ransom
CYBER spying experts are investigating Uber over fears that the personal details of up to five million British customers could be targeted by fraudsters.
The taxi app has admitted covering up a cyber hack that exposed the personal information of 57million users and drivers worldwide.
The US firm also paid the hackers £75,000 to keep the data breach quiet.
Now experts from the National Cyber Security Centre – the cyber arm of the intelligence agency GCHQ – have teamed up with the National Crime Agency and the Information Commissioner’s Office to discover how many customers in the UK were affected by the hack in October last year.
The National Crime Agency will focus on whether any crimes have been committed by Uber or by fraudsters targeting the company’s customers.
The investigation mirrors one being held in the US by the New York state attorney general.
News of the cyber hack came out in the early hours yesterday, catching British officials completely off guard.
Theresa May’s official spokesman said: ‘It is a worldwide incident and it is unclear which countries were affected. We have not seen evidence that financial details have been compromised.’
He added that Uber ‘did not notify individuals in the UK, the Government or UK regulators’ when it discovered the hack 13 months ago.
As the consumer group Which? urged Uber customers to change their bank passwords and check their accounts, deputy information commissioner James DippleJohnstone said: ‘Uber’s announcement raises huge concerns around its data protection and ethics.
‘Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.’
The Information Commissioner’s Office can fine firms up to £500,000 for breaching data protection legislation, and can prosecute if evidence of criminality is found.
Yesterday, the National Cyber Security Centre said it had ‘not seen evidence that financial details have been compromised’.
Uber reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the breach did not get out.
The New York Times said company executives then dressed up the breach as a ‘bug bounty’ – the practice of paying hackers to test the strength of software security.
Uber’s chief executive Dara Khosrowshahi, who was brought in this summer to clean up the firm after a series of setbacks and scandals, revealed a third-party cloud service had been infiltrated.
He said two cyber criminals outside the company ‘inappropriately accessed user data’ in late 2016. According to the news service Bloomberg, the hackers obtained login details to access data stored in Uber’s Amazon Web Services account.
The stolen data includes names, email addresses and mobile phone numbers, as well as the names and number plates of 600,000 US drivers.
Mr Khosrowshahi stressed there had been ‘no indication’ that trip history, credit card details, bank account numbers or dates of birth were downloaded by the hackers. He said that at the time of the incident the firm ‘took immediate steps to secure the data and shut down further unauthorised access’.
He said the affected accounts would get extra fraud protection, and the hackers had destroyed the downloaded data, adding: ‘None of this should have happened, and I will not make excuses for it.
‘While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.’
Labour MP Wes Streeting, who chairs the all-party parliamentary group on taxis, said: ‘It is completely outrageous that Uber suffered such a serious data breach... and has only seen fit to disclose it a year later.
‘This is another prime example of Uber’s total lack of corporate responsibility and care for customers – and why it is a million miles from being a fit and proper operator.
‘I don’t think they should be given a licence to operate in any city in Britain until they have cleaned up their act.’
The news comes as Uber appeals against the decision by London Mayor Sadiq Khan and Transport For London to strip it of its licence to operate in the capital over concerns about background checks and sexual attacks by drivers.
‘Completely outrageous’