Uber has revealed that 2.7 million British riders and drivers were affected by a 2016 data breach that it covered up for more than a year.
A total of 57 million worldwide had data exposed in the breach, but the firm had not specified how many were UK-based before.
The stolen information includes names, email addresses and phone numbers and – for US drivers – licence numbers.
Uber should notify UK users who have been affected, the data regulator said.
According to Uber, the 2.7 million figure is “approximate rather than an accurate and definitive account” – this is because the information gathered by the firm’s app does not always specify where users live.
A spokesman for Uber told the BBC the firm is not able to clarify how many UK drivers are included in the 2.7 million.
The firm has said it has a total of five million active users and 50,000 drivers in the UK.
The Information Commissioner’s Office (ICO) had previously said it had “huge concerns” about the breach.
Responding to the latest news, a spokesman for the ICO said: “As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised.”
“We would expect Uber to alert all those affected in the UK as soon as possible.”
Similarly, the UK’s Minister of State for Digital, Matt Hancock, said, “The Government expects Uber to respond fully to the incident with the urgency it demands and to provide the appropriate support to its customers and drivers in the UK.”
The ICO believes the data could be used by scammers trying to target victims of the breach.
Both Uber and the ICO have directed users to advice from the UK’s National Cyber Security Centre that was published following news of the breach.
The latest development was described as “shocking” by London Mayor Sadiq Khan.
“Uber needs to urgently confirm which of their customers are affected, what is being done to ensure these customers don’t suffer adversely, and what action is being taken to prevent this happening again in the future,” he said.
When news of the breach was revealed last week, chief executive Dara Khosrowshahi said, “None of this should have happened, and I will not make excuses for it.”
The story was first broken by Bloomberg, which reported that Uber not only sought to cover up the incident but also paid hackers $100,000 (£75,000) to delete the data they had stolen.
Government update on cyber security and data protection: Written statement – HCWS287
Made by: Matt Hancock (Minister of State for Digital ) 29/11/17
Uber has today estimated that the data breach which occured in October 2016 has affected approximately 2.7 million user accounts in the UK that were using its service or working for the company in the UK at that time.
Uber have stated that this information included names, email addresses and mobile phone numbers related to accounts globally. Uber have stated they have not seen any indication that trip location history, credit card numbers, bank account numbers or dates of birth were downloaded. Based on current information, Uber have stated that they have not seen evidence that financial details have been compromised.
The Information Commissioner’s Office (ICO) have directed Uber to provide them with technical reports that should help UK authorities, in particular the ICO and National Cyber Security Centre (NCSC), to verify these figures and whether any additional types of personal data have been compromised. The Government expects Uber to cooperate fully and promptly with the ICO and the NCSC.
The ICO and NCSC will continue to work tirelessly with Uber to ensure this information is correct. The Government expects Uber to respond fully to the incident with the urgency it demands and to provide the appropriate support to its customers and drivers in the UK. Uber users should continue to be vigilant and follow the advice from the NCSC, which can be found on their website.
The Government takes both the protection of personal data and the right to privacy extremely seriously. It is always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and to take steps to reduce any harm to consumers, and it is welcome Uber has done this.
The Government is strengthening the UK’s data protection regime through a new Data Protection Bill, which will give more powers to the ICO to defend consumer interests and issue higher fines of up to £18 million or four per cent of global turnover, in cases of the most serious data breaches.
The ICO, NCSC and other relevant authorities in the UK and overseas will continue to work together to ensure the data protection interests of UK citizens are upheld.