Uber has admitted to concealing a data hack that saw personal data of 57 million of its ride-hailing users globally compromised.

Uber covered up data hack for more than a year

First revealed by Bloomberg, the data breach took place in October 2016 and saw two hackers access user data from a third-party cloud-based service, including names, email address and mobile phone numbers of 57 million Uber users around the world as well as the names and licence numbers of around 600,000 Uber drivers in the US.

The San Francisco-based company said that it’s had no indication that credit card numbers, bank account numbers, Social Security numbers, dates of birth or trip location history details were hacked.

Uber CEO Dara Khosrowshahi confirmed the data breach in an online post as he said the company has “to be honest and transparent as we work to repair our past mistakes”.

Khosrowshahi said the company had taken immediate steps at the time of the breach “to secure the data and shut down further unauthorized access by the individuals”.

He added that the company had subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed – according to Bloomberg, Uber made a $100,000 payment to the attackers to delete the data.

Bloomberg also alleges that Uber has now sacked its chief security officer and one of his deputies for their role in the cover-up.

Although Khosrowshahi said that it was notifying identified Uber drivers in the US and providing them with free credit monitoring and identity theft protection, no action plan for Uber users affected by the hack was mentioned.

Uber also said it was notifying regulatory authorities.

Dean Armstrong QC, Cyber Law Barrister at Setfords Solicitors, said that although the hack occurred in North America, the General Data Protection Rules (GDPR) regulations coming into play in the UK and Europe next year would still cover any EU citizen’s data. “Assuming that at least some of the 50 million records hacked were of EU citizens, then under the new rules GDPR would potentially see Uber punished under EU regulation,” he commented.