EU privacy regulators could launch investigation into Uber cover-up

24 Nov 2017

Uber app. Image: Siarhei Dzmitryienka/Shutterstock

Data protection authorities in Europe are considering a coordinated investigation into the ride-sharing app’s recent breach cover-up.

Issues continue for Uber as it deals with the repercussions of a concealed data breach that exposed personal information from about 57m user accounts.

Uber’s CSO, Joe Sullivan, was fired for his role in hiding the breach that took place in October 2016. Hackers stole user names, email addresses and phone numbers along with Uber driver information.

CEO of Uber, Dara Khosrowshahi, admitted: “None of this should have happened, and I will not make excuses for it.”

EU authorities examining the cover-up

The Article 29 Working Party (A29WP) is a major advisory body consisting of various EU data protection experts, and the group looks set to be going through the Uber incident with a fine toothcomb.

Reuters reported that the A29WP said on Thursday (24 November) that the incident would be a point of discussion at its meeting on 28 and 29 November.

Although EU data protection authorities cannot impose joint penalties as of yet, they can create taskforces to coordinate national investigations.

The imminent enforcement of GDPR in May 2018 means that EU authorities will soon be coordinating their approaches to breaches and cover-ups by firms such as Uber, and the threat of fines and reputational damage will create unprecedented penalties for companies that don’t comply with regulations.

Voicing strong concerns

Antonello Soro, president of the Italian Data Protection Authority, said: “We cannot but voice our strong concern for the breach suffered by Uber, which was reported belatedly by the US company. We initiated our inquiries and are gathering all the information that can help us assess the scope of the data breach and take the appropriate steps to protect any Italian citizens involved.”

The British data protection organisation also expressed “huge concerns” about Uber’s data policies and wider ethical standpoints.

Uber’s European hub is in the Netherlands, and authorities there are looking into the company’s actions. The country has stricter data protection laws than many other EU member states, requiring firms to notify its data protection body within 72 hours of a breach, or face fines of up to €820,000.

An ‘egregious’ cover-up by Uber

Commenting on Uber’s handling of the breach, CEO of digital identity verification firm Socure, Sunil Madhu, told Siliconrepublic.com: “What makes the incident especially egregious is that Uber’s chief security officer made the decision to conceal the issue. Uber clearly needs a new board and better oversight. Paltry fines imposed on these businesses aren’t enough to encourage good behaviour.

“If this were to happen after May 2018 when the EU’s GDPR regulation goes live across 27 countries in Europe, considering that Uber operates globally, they would have been fined. Perhaps that’ll make companies like these take good security and privacy posture seriously and not make it an afterthought.”

Uber app. Image: Siarhei Dzmitryienka/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com