The UK data regulator says it will 'definitely be investigating' the Uber breach

Elizabeth Denham Town Hall Speech 21072016

The Information Commissioner's Office (ICO), the UK's data regulator, said on Wednesday that it plans to investigate a huge data breach that Uber concealed.

Uber said on Tuesday that a hack in 2016 affected 57 million Uber customers and drivers. The San Francisco taxi app kept the breach a secret and paid the hackers $100,000 (£75,000) to delete the data.

When asked whether the ICO plans to issue Uber with a fine, a spokesperson told Business Insider: "It's too early to say but it's something that we'll definitely be investigating."

James Dipple-Johnstone, ICO deputy commissioner, said in a statement:

"Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.

"It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.

"We'll be working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, how it has affected people in the UK and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.

"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies."

The breach took place in October 2016. The hackers were able to steal the names, emails, and phone numbers for 50 million riders globally, in addition to the personal information of 7 million drivers. This included US driver's license numbers, but no Social Security numbers, according to Uber.

Uber CEO Dara Khosrowshahi quietly published a blog post about the incident on Tuesday.

"As Uber's CEO, it’s my job to set our course for the future, which begins with building a company that every Uber employee, partner and customer can be proud of. For that to happen, we have to be honest and transparent as we work to repair our past mistakes.

"I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure."

Khosrowshahi said Uber's staff have not found any evidence that trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth were downloaded.

He added that two of the Uber employees that led the response on the breach left the company on Tuesday.

"None of this should have happened, and I will not make excuses for it," said Khosrowshahi. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

An Uber spokesperson was unable to say how many people in the UK were affected.

Join the conversation about this story »

NOW WATCH: 15 things you didn't know your iPhone headphones could do