Uber says 2.7m Brits affected by 2016 data breach

NCSC encourages password reset amid ongoing investigation

Uber Technologies has confirmed that 2.7 million account holders in the UK have been affected by the data breach that took place last year.

The ride-hailing firm provided the UK-specific breach data to the Information Commissioner’s Office following last week’s admission that the company fell victim to a major hack in October 2016.

“Uber has confirmed its data breach in October 2016 affected approximately 2.7 million user accounts in the UK,” said the ICO’s deputy commissioner of operations, James Dipple-Johnstone.

“Uber has said the breach involved names, mobile phone numbers and email addresses. As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised.”

On November 21, Uber CEO Dara Khosrowshahi provided details of the hack, which resulted in the personal details of 57 million users being compromised.

While Dipple-Johnstone said the leaked information, on its own, is unlikely to pose a direct threat to British citizens, he warned Uber account holders to “continue to be vigilant” and follow the advice from the National Cyber Security Centre (NCSC).

In the wake of the breach announcement, the NCSC urged Uber users to immediately change their account passwords, be alert to phishing emails and scam calls, and contact Action Fraud if they think they have been a victim of cybercrime.

“We are continuing to work with the NCSC plus other relevant authorities in the UK and overseas to ensure the data protection interests of UK citizens are upheld,” Dipple-Johnstone stated.

Although 2.7 million is by no means a small figure, the number of impacted UK citizens is perhaps lower than some might have expected, given the fact that Uber is estimated to have 3.5 million customers in London alone.

Across the Atlantic, reports of lawsuits against Uber continue to surface. Washington, Chicago, and Alberta are all said to be suing the firm for purportedly contravening state disclosure rules – although authorities north of the border are still struggling to obtain a concrete figure relating to the number of Canadian citizens impacted by the hack.