Uber Technologies Inc. faces at least three probes in Europe following revelations that the company kept quiet for more than a year after hackers stole vast amounts of personal data about customers and drivers.
Italy’s data protection chief said today his service opened a probe into “the obvious lack of adequate security measures.” The Dutch privacy watchdog, Uber’s lead regulator in Europe, and the British agency also said the ride-hailing firm is in their cross-hairs.
“We can only express our deep concern about the breach,” Antonello Soro, president of the Italian authority, said in a statement on its website. “We have opened an investigation and we are collecting all the useful elements to assess the extent of the data breach and the actions to be taken to protect any Italian citizens involved.”
Hackers stole the personal data of 57 million customers and drivers from Uber, a major breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.
A spokesman from Uber said the company is in the process of notifying various regulatory and government authorities.
The Netherlands regulator confirmed that Uber, which has its European base in the nation, has now informed it of the data breach. “As we do with every data breach report, we will look into this report very thoroughly,” its spokeswoman Frederique Hermie said in an email.
While some European watchdogs’ fining powers are minimal, most of the current 28 EU regulators have no powers to levy penalties at all. This will change in May 2018, when data protection authorities across the bloc will get the same powers to fine companies, including U.S. firms, as much as 4 percent of annual sales.
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” James Dipple-Johnstone, deputy commissioner of the U.K. Information Commissioner’s Office, said in an emailed statement. He said the data breach raised “huge concerns around its data protection policies and ethics.”