The US, the UK and Italy are among a widening group of countries that are up in arms and vowing to probe Uber’s cover-up of a massive hack attack that affected the personal data of over 57 million passengers and drivers across the globe.
The news comes on the heels of the ride-hailing company’s surprise acknowledgement that hackers had stolen personal data – including names, email addresses, phone numbers and approximately 600,000 driver’s license numbers – of 50 million riders and seven million drivers around the world back in October 2016.
To make matters worse, Uber also admitted that it had paid the perpetrators $100,000 to delete the data and keep the hack quiet.
Now, authorities in a number of states are reacting swiftly, saying that they would investigate the $68-billion company’s response to the data breach.
The Federal Trade Commission (FTC), America’s main regulator in charge of protecting consumers’ rights, said the agency is “closely evaluating the serious issues raised.” Meanwhile, the New York attorney-general’s office, which settled with Uber over its privacy policies last year, said it was opening a new investigation into the data breach. As part of the 2016 settlement, Uber agreed to pay $20,000 in fines for failing to report unauthorized access to drivers’ data until months after it was discovered.
Other states, including llinois, Massachusetts, Missouri and Connecticut also said they had launched investigations, according to US media. An Uber spokesman said in an emailed statement to Reuters that “We’ve been in touch with several state attorney-general offices and the FTC to discuss this issue, and we stand ready to co-operate with them going forward.”
Some US lawmakers have even called for congressional hearings.
Representative Frank Pallone Jr (N.J.), the top Democrat on the House Energy and Commerce Committee, also called on the FTC to investigate the Uber breach on Wednesday, according to The Hill.
In the UK, the Information Commissioner’s Office (ICO), which oversees data protection in the country, said it would look at how the breach had affected British users.
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” said James Dipple-Johnstone, the ICO’s deputy commissioner. “Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.”
In Italy, Antonello Soro, president of Italian Data Protection Authority, said: “We can only express a strong concern about the breach sustained by Uber.” The agency has launched an inquiry, slamming “the obvious lack of adequate security measures to protect the [user] data.”
A spokesman for the data protection agency in the Netherlands, where Uber bases its European operations, told WSJ that it would also look into the data breach. In addition, the Philippines’ National Privacy Commission has demanded that Uber explain the incident during a special meeting scheduled for November 23.
Earlier this week, Uber’s new CEO Dara Khosrowshahi said that internal investigations did not produce any “indication that trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth were downloaded.” Uber has also fired two employees who were leading the company’s response to the 2016 data breach.