Uber says 2.7M UK users affected by 2016 data breach

Uber’s October 2016 data breach affected some 2.7 million UK users, it has now been revealed.

On Friday the government said it had been informed by Uber that UK users were affected by the 2016 breach, though it did not disclose the number at that stage.

Uber only publicly disclosed the existence of the data breach this month, close to a year after learning that hackers had accessed data on a total of 57M Uber users and drivers.

In an update about the breach today, the UK’s data protection watchdog confirmed that for UK users affected data is names, mobile phone numbers and email addresses.

It added that it expects Uber to alert affected users ASAP.

It’s not clear whether the company has begun doing so yet. We asked Uber to confirm this but a spokesperson only noted it has posted an update to its blog about affected UK users at this point.

For a little context on the 2.7M figure, Uber claims to have around 3M users in London, the UK’s capital and its largest city in Europe. It does also operate in multiple other cities around the UK too.

Here’s the full statement, from the ICO’s deputy commissioner, James Dipple-Johnstone, including its advice on what UK Uber users should do:

Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK.

Uber has said the breach involved names, mobile phone numbers and email addresses.

On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the NCSC.

As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised.

We would expect Uber to alert all those affected in the UK as soon as possible.

We are continuing to work with the NCSC plus other relevant authorities in the UK and overseas to ensure the data protection interests of UK citizens are upheld.

Update: Also today, Europe’s influential Article 29 Working Party — the data protection oversight body that’s comprised of representatives from data protection agencies of EU Member States — confirmed it has established a taskforce to help co-ordinate national investigations into the Uber data breach.

A spokeswoman for the group said the taskforce is being led by the Dutch DPA, and includes representatives from the ICO, and the French, Italian, Spanish, Belgian and German DPAs.