Uber has recently admitted that it concealed a cyberattack that exposed the data of 57 million customers and drivers in October 2016, including names, email addresses and mobile phone numbers. The breach was hidden by the firm, which paid hackers US $100,000 (approx. £75,000) to delete the data.
Last week, the ICO confirmed UK citizens have been affected by the breach. It stated Uber’s admission “raises huge concerns around its data protection and policies,” and that “deliberately concealing breaches from regulators and citizens could attract higher fines for companies.” The National Cyber Security Centre (NCSC) also said companies must report any cyberattack “immediately.” The ICO announced it is working with the NCSC to determine the exact scale of the breach, and what steps Uber will need to take to comply with its data protection obligations.
The GDPR makes it mandatory for organisations to report breaches to the ICO and individuals within 72 hours (where feasible) of a breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Clearly, organisations should not attempt to conceal any issues, as this may result in increased fines and, more significantly, negative publicity.
Uber was previously fined £20,000 by the ICO for failing to disclose a less serious breach in 2014. Due to the scale of the breach, its repeated offending and the way in which it was handled, it is likely the consequences will be much more severe this time around.