After the recent revelation that Uber sustained a colossal data breach and attempted to hide it, the company has now disclosed that 2.7 million British people were among the 57 million victims.
This UK specific figure is thought to include the personal information of both customers of the service and drivers themselves, but according to the BBC, Uber has not been able to provide details of the number of drivers involved.
The initial attack was carried out in 2016 during the pock-marked tenure of ex-CEO, Travis Kalanick, and most shocking, executives at the company made moves to cover up the breach by offering the hackers money to erase the stolen data.
In an update added to the original post about the incident, Uber shared the UK figure, saying: “In the United Kingdom this involved approximately 2.7m riders and drivers. This is an approximation rather than an accurate and definitive count because sometimes the information we get through the app or our website that we use to assign a country code is not the same as the country where a person actually lives.”
The UK’s Information Commissioner’s Office (ICO) reacted to the UK specific revelation, stating that it is working with the National Cyber Security Centre to support those affected.
James Dipple-Johnstone, deputy commissioner, Information Commissioner’s Office, said: “Uber has said the breach involved names, mobile phone numbers and email addresses… On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the NCSC.”
“As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised… We would expect Uber to alert all those affected in the UK as soon as possible,” Dipple Johnstone said.
While the customer and driver data may not seem critical or valuable, this is not in fact the case and it is amassing in vast quantities to be used in future.
Paul Ducklin, Senior Security Advisor, Sophos, said: “It’s easy to think, when a data breach includes “only” names, addresses and phone numbers, that it’s not of much significance. But any personal data that crooks can collect unlawfully has value on the Dark Web. If the crooks who stole the data don’t abuse it directly, they may very well sell it onto someone else who will.”