Uber faces EU-wide privacy probes into hidden hacking attack

Register now

(Bloomberg) -- Uber Technologies Inc. faces privacy probes across the European Union from regulators who vowed to look into the huge data breach that the company hid for more than a year after hackers stole vast amounts of personal data about customers and drivers.

EU data protection officials from the 28-nation bloc will discuss the incident and its privacy implications at a regular meeting in Brussels this week, the head of the so-called Article 29 Working Party said in a statement Thursday. Multiple regulators in Europe earlier already vowed to start an investigation, with Italy’s data protection chief speaking of an “obvious lack of adequate security measures” at the ride-hailing company.

“We can only express our deep concern about the breach,” Antonello Soro, president of the Italian authority, said in a statement on its website Wednesday. “We have opened an investigation and we are collecting all the useful elements to assess the extent of the data breach and the actions to be taken to protect any Italian citizens involved.”

Hackers stole the personal data of 57 million customers and drivers from Uber, a major breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.

Phone Numbers

Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

A spokesman from Uber said the company is in the process of notifying various regulatory and government authorities.

The Dutch privacy watchdog, Uber’s lead regulator in Europe, the Spanish and the British agencies also said they are reviewing the incident.

The Netherlands regulator said that Uber, which has its European base in the nation, has informed it of the hack. “As we do with every data breach report, we will look into this report very thoroughly,” its spokeswoman Frederique Hermie said in an email.

While some European watchdogs’ fining powers are minimal, most of the current 28 EU regulators have no powers to levy penalties at all. This will change in May 2018, when data protection authorities across the bloc will get the same powers to fine companies, including U.S. firms, as much as 4 percent of annual sales.

"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” James Dipple-Johnstone, deputy commissioner of the U.K. Information Commissioner’s Office, said in an emailed statement. He said the data breach raised “huge concerns around its data protection policies and ethics.”

Bloomberg News