This might also interest you...

Uber’s Huge Data Breach Hush-Up

27 Nov 2017

On Tuesday 21st November 2017, Uber admitted that it had failed to disclose a cyberattack that exposed the data of some 57 million combined drivers and passengers — and paid hackers to not release the stolen data.


The October 2016 attack saw hackers unlawfully access 57 million names, email addresses and mobile phone numbers. Within that number, 600,000 drivers – who in light of the recent Employment Appeal Tribunal decision qualify as workers in the UK rather than being self-employed, had their names and licence details exposed.


The 2016 breach was hidden by the ride-sharing firm which paid hackers $100,000 (£75,000) to delete the data. In January Uber was fined $20,000 for failing to disclose a considerably less serious breach which occurred in 2014.


According to Uber, there has been no evidence of fraud or misuse tied to the 2016 incident, and the affected accounts are being monitored and additional fraud protection measures have been put in place. However, the Information Commissioner's Office (ICO) has stated that Uber’s admission raises huge concerns around its data protection policies and ethics. James Dipple-Johnstone, deputy commissioner of the ICO emphasized that;


“It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.


A Higher Standard


The new Data Protection Bill which incorporates the General Data Protection Regulations 2016 (GDPR), means data protection obligations have become more stringent and businesses must be able to demonstrate compliance. Whilst this new Data Protection Bill is reflective of existing data protection laws, it is more onerous and gives the ICO greater enforcement powers.


Under the new Act, a notifiable breach, such as that which Uber has concealed, has to be reported to the ICO within 72 hours of the organisation becoming aware of it. Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of the organisations global turnover.


Overall, the new Act includes more rights for individuals and provisions which promote accountability and governance with a view to minimising the occurrence of breaches such as that which Uber has concealed.


Concerns about corporate cybersecurity have intensified in the wake of high-profile hacks targeting organisations such as Uber, the NHS and TalkTalk. It is thus essential that appropriate security measures are put in place to ensure compliance with data protection principles.


If you require advice on data protection issues including the upcoming changes to the law, how to prepare, or are the subject of ICO investigation or enforcement action, please contact Andrew Swan or Sheila Ramshaw on 0191 232 0283 or at and respectively.

Share on Facebook
Share on Twitter
Please reload

Please reload

  • FB
  • Twitter
  • LinkedIn
  • Youtube

Short Richardson & Forth, 4 Mosley Street, Newcastle upon Tyne, NE1 1DE

Tel: +44 (0)191 232 0283  ·  Email:


Short Richardson and Forth Solicitors Limited is a private limited company registered in England and Wales under company number 10572065, authorised and regulated by the Solicitors Regulation Authority No 637150.

Short Richardson and Forth Solicitors Limited is a private limited company constituted and run in accordance with the provisions of the Companies Act 2006. The term “partner” has been used to denote individual senior solicitors employed by Short Richardson and Forth Solicitors Limited.