back to article You're such a goober, Uber: UK regulators blast hushed breach

Brit regulators, security agencies and MPs have slammed Uber for covering up the massive data breach of 57 million customer and driver records. The company – already in hot water in London for its failure to toe the regulatory lines required of a taxi firm – has been widely condemned for concealing the 2016 breach. The UK's …

  1. Anonymous Coward
    Anonymous Coward

    Make TFL argument even more valid

    Well, this proves that TFL has a point.

    It perfectly fits "Uber as we know it" which is orthogonal to "Fit and proper to run a public service".

    So its issues are not one-off errors. They are systemic, endemic and an essential part of the business model.

    Remove the "issues" and there will be no Uber. Or no successful Uber (at the very least).

    1. Rich 11 Silver badge

      Re: Make TFL argument even more valid

      So its issues are not one-off errors.

      I think the Uber experience in several other countries has already made this clear.

    2. iRadiate

      Re: Make TFL argument even more valid

      Was a big fan of the whole idea of Uber but these guys need to be shut down now. They had their chance to show what they could do but they've failed at every opportunity given to them. Rapey drivers. Sexisim in the workplace. Devious software in their apps. Top management looking at private files of a rape victim. Top management not giving a shit about their drivers and now keeping quiet about a major data breach. Fuck em.

  2. astrax

    No way!

    I find it incredibly unlikely that a company like Uber, who are a paragon of morality and ethical conduct, would do anything remotely as deceptive as this.

    /sarcasm

  3. Gotno iShit Wantno iShit

    Softbank

    I cannot fathom why Softbank want to be associated with this lot. Absolute epitome of the Toxic Brand.

    1. Spudley

      Re: Softbank

      I cannot fathom why Softbank want to be associated with this lot. Absolute epitome of the Toxic Brand.

      It's worth adding they held back from releasing this information until after the Softbank investment had been completed.

    2. Deltics

      Re: Softbank

      Because they think they can make money from/with them ? Toxic $'s are still $'s.

      1. Triggerfish

        Re: Softbank

        It's not the only one they invested in they put $2b USD in grab, an Asian version of Uber.

  4. Commswonk Silver badge

    Funny really...

    Hail a black cab (which is a regulated environment, and has been more or less for ever) and pay cash and you have total anonymity, and are thus completely unhackable.

    Such is progress... I still cannot see any half convincing argument as to why Uber would need a database of its victims passengers.

    1. Loyal Commenter Silver badge

      Re: Funny really...

      The principle reason, as far as I am aware, is so that drivers can rate passengers, in the same way that passengers can rate drivers, so that drivers can avoid picking up people who are likely to be abusive, or violently ill in their car.

      The amount of data required for this presumably would be pretty small (an identifier, and a set of ratings), and I wonder what other associated account data Uber actually hold (such as identifying information and billing info), as well as how much of this data they need to hold, and whether it was leaked.

      The whole thing does indeed look pretty dodgy - from the fact that Uber didn't 'fess up to the breach at the time, and haven't revealed the nature of the stolen data, to the pretty amazing admission that they paid the criminals to delete the data that was stolen. I can see no way that they could verify that the crims actually did this, rather than taking the money and holding onto / selling the data.

      1. Twanky
        Flame

        Re: Funny really...

        'I wonder what other associated account data Uber actually hold'

        This is an archive of something published on Uber's corporate blog. It shows that not only do they collect data about their users, they allow people to analyse it and derive information which is none of their business. https://web.archive.org/web/20141118192805/http://blog.uber.com/ridesofglory

        ...and then they boast about it in their blog. Brilliant.

  5. Crisp Silver badge

    Will Uber Go Under?

    I can't imagine their customers will support them after this.

    1. iron Silver badge

      Re: Will Uber Go Under?

      Hahahahahaha. Funniest thing I've read all day.

      Most of their customers won't know or even care.

      Just look at how Talk Talk were largely unaffected by their data breach, or at how many people still use Uber after all the sexism, rape, assault, theft, etc cases.

      1. Commswonk Silver badge

        Re: Will Uber Go Under?

        @ iron: How I wish I could argue that you are writing complete bollocks; trouble is that I strongly suspect that you are completely correct.

        Depressing, isn't it...

      2. Anonymous Coward
        Anonymous Coward

        Re: Will Uber Go Under?

        My neighbours were with Talk Talk and they didn't know about the data breach until I told them, they'd also been targetted by the scammers who had gotten their information from the data breach, thankfully they were switched on and realised during the call that despite the professionalism of the the callers (they were passed on to another 'Talk Talk employee' mid-call) something didn't feel right so they hung up.

        They no longer use that incompetant company.

    2. big_D Silver badge

      Re: Will Uber Go Under?

      It is a good job they released the information this year, from next spring, if they wait more than 72 hours after the breach to inform authorities and affected persons (individually), they will face fines of up to 4% of their annual turnover (EU Data Protection).

  6. Liassic

    Penalties are not limited to €20 million...

    "...penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher."

    Source: https://www.itgovernance.co.uk/dpa-and-gdpr-penalties

  7. TRT Silver badge

    I would like to make it absolutely clear...

    that Uber did not suffer a data loss event. Uber formed a strategic alliance with a data handling and penetration testing organisation, and the payment to them was a contractual obligation reflecting the level of service provided. As a result of this perfectly normal business relationship, it was not legally required for the company to disclose any breach or data loss because there was no such loss. Thank you.

    Do you think they bought it? Wha...? Huh? Oh shit, the microphone's stil.... *click*

  8. sjsmoto

    "To Uber":

    1. To screw someone over and give an empty, self-serving apology;

    2. To hire someone while plotting their demise at the same time (for example, with self-driving cars) and working to reduce their income (for example, with software that secretly reduces their fares).

  9. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Too Many Breaches....

      Lets see if GPDR changes anything... the EU seem to be a lot more fighty with the likes of Google and Microsoft on other issues, I'd imagine they will be getting similarly heavy over GPDR.

      But as you say, other governments on both sides of the pond have tended to let big business get away with murder so far on all sorts of matters.

      Its almost as though some in the UK didn't want to come under EU scrutiny isn't it...

    2. tfewster Silver badge
      Facepalm

      Re: Too Many Breaches....

      > Data Protection Act ... a twice yearly training course for everyone in the company.

      Really? When I was given the additional duties of Data Protection Officer to go with my tech support role, I wasn't offered any training, just given the registration forms to fill in for the hospital*. Hmm, maybe I should have been organising training for everyone else.

      * I spotted that that the Act didn't stop you doing anything evil, e.g. selling patients data, as long as your Registration stated that intention.

  10. born_free_taxed_for_life

    good to see how mucn uber cares about their staff, their customers and companies that work with them. Good to see we matter. This app is good and so is my business

  11. Trigonoceps occipitalis

    "the two employees that have been jettisoned from the firm."

    Worked for VW at one time?

    1. John Brown (no body) Silver badge

      Re: "the two employees that have been jettisoned from the firm."

      Not really. Billions in fines too.

  12. JWLong

    Butt Uber is San Fran Happy

    By Scott McKenzie:

    If you're going to San Francisco

    Be sure to wear some flowers in your hair

    If you're going to San Francisco

    You're gonna meet some gentle people there

    For those who come to San Francisco

    Summertime will be a love-in there

    In the streets of San Francisco

    Gentle people with flowers in their hair

    All across the nation

    Such a strange vibration

    People in motion

    There's a whole generation

    With a new explanation

    People in motion

    Bend over Uber customers.............

  13. bazza Silver badge

    How about their self driver?

    With this approach to IT security, and everything else, what do we think their attitude to bugs in their self driving car software is going to be? Reassuringly trustworthy? I think not...

    So I won't be getting inside one.

  14. Anonymous Coward
    Anonymous Coward

    Disclosure

    Seems that there's no incentive for companies to actually let anyone know about incidents. Maybe the eur20m/4% of global turnover figure should be made the *minimum* fine for a non-disclosed breach.

  15. Anonymous Coward
    Anonymous Coward

    US companies

    ... Equifax and Uber most recently, just don't care about their international responsibilities.

    No-one gives them any kind of hard time in the US and seem honestly surprised that little ole UK kicks up such a fuss... still a pitance of a fine (paid out of their investor cash) and its all sorted.

    In the same way as Brazil shut down Whatsapp, perhaps the UK could shut down Uber for a few days, nevermind a fine, stop their income here for a little while and they will start to pay attention, or just give up.

    The idea of using an app and moving the taxi system into modern times is a good one, there is not just uber who are doing this. The government are always going on about competition so why not shake things up a bit and level the playing field (if you treat data badly, you can't play in our sandpit)... ban Uber for the next two months (missing all those Xmas taxi rides) and they will either come back cap in hand or ditch the UK altogether. Both are better outcomes than a pittance of a fine.

    Since their drivers are "self-employed" they can drive for Grab or Lyft or anyone else.

  16. Winkypop Silver badge
    FAIL

    Brand destruction

    Epic style

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019