Uber Technologies faces privacy probes across the European Union from regulators who vowed to look into the huge data breach that the company hid for more than a year after hackers stole vast amounts of personal data about customers and drivers.
EU data protection officials from the 28-nation bloc will discuss the incident and its privacy implications at a regular meeting in Brussels next week, the head of the so-called Article 29 Working Party said in a statement on Thursday. Multiple regulators in Europe earlier already vowed to start an investigation, with Italy’s data protection chief speaking of an “obvious lack of adequate security measures” at the ride-hailing company.
“We can only express our deep concern about the breach,” Antonello Soro, president of the Italian authority, said in a statement on its website on Wednesday. “We have opened an investigation and we are collecting all the useful elements to assess the extent of the data breach and the actions to be taken to protect any Italian citizens involved.”
Hackers stole the personal data of 57m customers and drivers from Uber, a major breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a US$100 000 payment to the attackers.
Compromised data from the October 2016 attack included names, e-mail addresses and phone numbers of 50m Uber riders around the world, the company said on Tuesday. The personal information of about seven million drivers was accessed as well, including some 600 000 US driver’s licence numbers. No social security numbers, credit card information, trip location details or other data were taken, Uber said.
At the time of the incident, Uber was negotiating with US regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose licence numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.
Notifying authorities
A spokesman from Uber said the company is in the process of notifying various regulatory and government authorities.
The Dutch privacy watchdog, Uber’s lead regulator in Europe, the Spanish and the British agencies also said they are reviewing the incident.
The Netherlands regulator said that Uber, which has its European base in the nation, has informed it of the hack. “As we do with every data breach report, we will look into this report very thoroughly,” its spokeswoman, Frederique Hermie, said in an e-mail.
While some European watchdogs’ fining powers are minimal, most of the current 28 EU regulators have no powers to levy penalties at all. This will change in May 2018, when data protection authorities across the bloc will get the same powers to fine companies, including US firms, as much as 4% of annual sales.
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner’s Office, said in an e-mailed statement. He said the data breach raised “huge concerns around its data protection policies and ethics”. — Reported by Stephanie Bodoni, (c) 2017 Bloomberg LP