Another scandal, another blow for Uber. This time, it relates to Uber’s “massive” data breach and subsequent cover-up.
The breach involved two individuals outside the company “inappropriately accessing” user data stored on a third-party cloud-based service. In a statement posted online by Uber’s Chief Executive, Dara Khosrowshahi, Uber confirmed the data accessed included:
• The names and driver’s license numbers of around 600,000 drivers in the United States.
• Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers.
Uber wrote they “took immediate steps to secure the data and shut down further unauthorized access by the individuals”. Securing the data involved a payment of $100,000.00 (approximately £75,000.00) to the hackers in exchange for them (allegedly) signing non-disclosure agreements.
The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has expressed its “huge concerns around [Uber’s] data protection policies and ethics”, especially in concealing the breach. The ICO have confirmed they will be investigating the scale of the breach, and the extent to which it has affected people in the UK.
The latest breach follows a string of data breaches by Uber, including ‘a stunning violation of privacy’ (reported in June 2017) when former Uber executives, Eric Alexander and Emil Michael, allegedly illegally obtained the medical records of a woman raped by an Uber driver. Just a couple of months prior, in April 2017, it was reported that Uber used a secret software called “Hell” to track drivers from its rival, Lyft. The FBI is now leading an investigation with the Manhattan US attorney’s office into Uber’s use of the Hell program.
What is the current law in the UK in relation to Data Protection?
Currently the law is governed by the Data Protection Act 1998 (DPA) but this is due to change from May 2018. Jackson Boyd recently published an article setting out details of the upcoming Data Protection Bill (DPB), which is intended to give effect to the EU General Data Protection Regulation (GDPR) in the UK from May 2018. Here you can find an in-depth summary of the changes.
Compensation for data breaches
Section 13(2) of the DPA confirms an individual is entitled to compensation for damage and stress caused by a breach of the DPA. In March earlier this year an Edinburgh couple were awarded £8,634 after their neighbours installed CCTV cameras and audio equipment deliberately set to cover their property.
It seems possible the new DPB this will give rise to greater claims regarding breaches of data protection due to businesses trying to get up to speed with the various new and stricter measures required to ensure that they are complying with the new law.