People Insights
Contact Us
Get in touch
Contact Us
Published On: November 23, 2017 | Blog | 0 comments

How not to deal with a data protection breach – Uber in the news again

As the ongoing saga of the Uber drivers Employment Tribunal bubbles along, the company has been in the news again.  This time, in relation to its data protection policies.

Uber has been required to take urgent action following the revelation that, in 2016, hackers were able to download files from the company’s cloud-based storage accounts.

The files contained personal information about 57 million Uber uses around the world including names, email addresses and mobile phone numbers.  In addition, the names and driver’s license numbers of approximately 600,000 drivers in the US were obtained.

The chief executive of Uber, Dara Khosrowshahi, has assured customers that action is being taken and that he only recently was informed that the breach had taken place.  He indicated that trip location history, credit card numbers, bank account numbers, social security numbers and dates of birth were not in the information downloaded.

So, what steps were taken?  At the time of the incident in October 2016, the company secured the data, shut down unauthorised access, identified the hackers, demanded confirmation that the information obtained was destroyed and implemented new security measures.

The question obviously arose as to why this potentially catastrophic breach was not made public at the time of the hack.  Khosrowshahi merely stated that he ‘had the same question’ therefore the jury is out on that point.  The chief executive has taken the following actions in light of the recent discovery:

  • Engaging an expert to consult on security and procedures
  • Termination of two staff members’ employment
  • Notification to drivers individually whose license numbers were obtained and provision of free credit monitoring and protection against identify theft
  • Notification to regulator
  • Monitoring of affected accounts and provision of additional fraud protection

What does this mean for the UK?  The Information Commissioner’s Office (ICO) deputy commissioner, James Dipple-Johnstone, has advised that the data breach raises huge concerns about the ethics and data protection policies of Uber.  An investigation is to be launched where the ICO will work with the National Cyber Security Centre to ascertain the scale of the breach, how this affects individuals in the UK and what Uber needs to do to comply with its obligations in respect of data protection.  Uber must identify any UK citizens who have been subject to the data breach and take steps to reduce any harm caused.  The ICO has warned that deliberately concealing breaches from regulators and citizens could attract higher fines for companies.

Although the investigation is yet to commence, there is speculation that the timing of Uber’s disclosure in not unrelated to the fact that the new General Data Protection Regulation (GDPR) comes into force on 25 May 2018.  Breach of the GDPR may attract fines of 20 million Euros or 4% of annual worldwide turnover, whichever is the greater.  Currently, the ICO only has the power to issue fines of up to £500,000 and the highest fines to date include a £400,000 fine given to TalkTalk in October 2016 for a breach affecting 156,959 customers.  Uber may well want to get the investigation out of the way before the higher fines are implemented.

All businesses are obliged to have systems in place for the GDPR to ensure compliance with data protection principles.  The starting point is to assess current data security measures, ensure that there is an efficient reporting mechanism and train employees on what to do if there is a breach.  If you would like to discuss the changes that the GDPR shall bring and how this affects your business, please contact Elaine O’Connor on 0207 940 4000 or

* Disclaimer: The information on the Anthony Gold website is for general information only and reflects the position at the date of publication. It does not constitute legal advice and should not be treated as such. It is provided without any representations or warranties, express or implied.*
  • Knowledge and experience of working strategically in-house at Cadbury UK Limited, a global organisation, at a time of corporate re-structuring and huge transformation
  • Experience in a variety of contentious and non-contentious matters, both civil and commercial
  • Practical advice to clients at the outset of their business ventures
  • Elaine has a personal interest in supporting female lawyers and is an active member of the Association of Women Solicitors
  • What Elaine’s clients say:
  • “Elaine is a lovely person, professional, she listens & she has a soul. Elaine is Truly amazing.”
  • “Many many thanks Elaine, talking to you is the best thing that has happened to me in 2019 for sure.”

Get in touch

Call, email or use a contact form – whichever suits you. We’ll let you know the best person to help you get started.

Call or Email

020 7940 4060

No comments

Add your comment

We need your name and email address to make sure you’re a real person. We won’t share your email address with anyone else or send you spam. Please complete fields marked with *.

Leave a Reply

Your email address and phone number will not be published on the website. Other visitors will not be able to see your contact information. Required fields are marked *

Contact Us

How can we help?

Request a Call Back

How can we help?