UK and US regulators are looking into Uber's late reporting of a data breach that involved the theft of personal information from 57 million user accounts and 600,000 US drivers.
The UK's Information Commissioner's Office (ICO) is working to determine the scale of the breach, who was affected, and what steps Uber needs to take to ensure it's complying with data protection rules.
In the US, New York Attorney General Eric Schneiderman has opened an investigation, his spokeswoman said on Wednesday. The US Federal Trade Commission is also looking into the matter, a commission spokesman said in an email.
Uber was breached in October 2016, and discovered the hack a month later. But management decided to keep it under wraps until the company's new CEO, Dara Khosrowshahi, learned of it recently.
So far, Uber hasn't given a geographic breakdown of who might have been affected. But Uber's decision to keep things quiet "raises huge concerns" about its data protection policies and ethics, according to James Dipple-Johnstone, ICO deputy commissioner. "If UK citizens were affected then we should have been notified," he said. "Deliberately concealing breaches from regulators and citizens could attract higher fines for companies."
The UK's National Cyber Security Centre also voiced concern. "Companies should always report any cyber attacks to the NCSC immediately," it said in a statement.
In the US, most states have laws that require companies to disclose a data breach when it affects local residents. However, according to The New York Times, Uber instead identified the hackers responsible and reportedly had them sign nondisclosure agreements to keep them quiet about the incident.
Uber also paid the hackers $100,000 to delete the stolen data, but made the payment look like a reward, or a bug bounty, for finding a security hole in the company's systems.
Uber's new CEO, Khosrowshahi, has fired the two employees who led the company's response to the hacking. Still, Uber's handling of the data breach raised eyebrows across the information security industry.
"Paying a ransom to delete data does not make any sense," Shuman Ghosemajumder, chief technology officer at Shape Security, said in an email. That's because it's impossible to verify if the hackers made any additional copies of the stolen data, he added.
However, other security experts say paying off hackers can be necessary. "It's easy to judge [organizations] for paying a ransom, but it's often the best bad decision. You'd pay a ransom for your child, data's no different," tweeted Jake Williams, founder of security firm Rendition InfoSec.
So far, Uber has found no fraud or misuse tied to the accounts affected by the breach, which exposed names, email addresses, and mobile phone numbers of Uber riders. Around 600,000 Uber drivers also had their driver's license numbers stolen as part of the breach.