Uber's secret pay-off to hackers to cover up a massive breach of customer and driver data is likely to extract a heavy price for the US ride-hailing service as regulators are looking into the case.
Britain's Information Commissioner's Office said Wednesday that the data security breach at Uber raised "huge concerns" about data policies and ethics at the US ride-hailing firm.
"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies," said deputy commissioner James Dipple-Johnstone.
As the UK data protection regulator has opened an investigation into the hack of customer and driver data at Uber, the maximum penalty could be about £500,000 ($662,350, €563,000) under current British law for organizations that fail to notify affected users and regulators when data breaches occur.
Under new data protection rules that come into force in the EU next May, companies will have to identify and notify regulators of data breaches within 72 hours or face significantly increased penalties.
Vera Jourova, the EU commissioner in charge of data, said Uber's failure to come clean about the breach showed why the new data protection law was needed. "Companies like Uber will not be able to hide the breaches of our personal data from us or face penalty," she said, without mentioning a sum for an EU fine for Uber.
The New York Attorney General's Office has also opened an investigation into the breach. Uber said it had informed regulators around the world of the breach on Tuesday, as well as individually contacting the US drivers whose license numbers had been taken.
The San Francisco-based company also revealed on Tuesday that it had only learned recently that personal information from about 57 million Uber accounts had been stolen in 2016. Chief Executive Dara Khosrowshahi, who replaced co-founder Travis Kalanick as CEO in August, said the company had fired two senior security officials involved in the cover-up.
Although the data breach did not include information such as credit card numbers or trip histories, the fact that it was not disclosed sooner and that the hackers were paid off about $100,000 could present a legal headache for the group.
Uber's payment to the hackers is unusual, with few companies ever admitting to paying attackers because it could encourage further attacks. The Federal Bureau of Investigation (FBI) has repeatedly warned against paying a ransom even if it involves only small sums to unencrypt stolen data.
uhe/tr (Reuters, AP, dpa)