The UK government was first alerted to a massive breach of an estimated 57million Uber accounts "by the media", the minister of state for digital said on Thursday.
Responding to an urgent question in parliament this morning, Matt Hancock MP admitted he was "notified by the media of a potentially significant data breach", when the news broke on Tuesday.
For the government and "the UK authorities ... as far as we're aware, the first notification was through the media," he said.
Asked whether the alleged lack of notification to regulators was illegal, he continued: "That is a matter for the courts, but I think there's a very high chance that it is."
Hancock added that current information indicated the hack was not committed in the UK – but said UK customers were affected. Regarding the number of UK accounts that may have been compromised, Hancock said he did not have "sufficient confidence" in the figures currently being provided by Uber.
He told the Commons he would be making a further announcement "within days".
"We're verifying the extent and the amount of information and when we have a sufficient assessment we will publish the details," he said. Hancock warned UK customers and drivers to stay "vigilant" in the meantime, but gave assurances that "the stolen information is not the sort that would allow direct financial crime".
A Uber spokesperson in the UK confirmed to BuzzFeed News: "We are in the process of notifying various regulatory and government authorities and we expect to have ongoing discussions with them. Until we complete that process we aren't in a position to get into any more details."
Uber confirmed on Tuesday it had discovered that, for more than a year, some of its executives had concealed a data breach that compromised the information of 57 million accounts, following a report by Bloomberg. Executives reportedly paid $100,000 to the hackers in exchange for their silence about the incident.
The breach, which happened in October 2016, exposed users’ names, email addresses, and phone numbers, as well as the names and driver's licence numbers of 600,000 drivers. Users from around the world had been affected, the company said, adding that it had not detected any theft of trip location history, credit card numbers, bank account numbers, social security numbers, or birth dates.
Uber's CEO, Dara Khosrowshahi, said he had only just learned about the breach as the news broke on Tuesday. "None of this should have happened, and I will not make excuses for it," he wrote in a blog post. It is reported that those executives who had knowledge of the breach have now had their contracts terminated.
The revelation has prompted investigations from regulators around the world, including the Information Commissioner's Office in the UK.
In a statement, the ICO said it was always a company's responsibility to "identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed."
"Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics," it said.
"We are working with ... other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations."
In a statement, the UK's National Cyber Security Centre (NCSC), said it had not seen evidence that any financial details had been compromised but urged customers to immediately change any passwords used with Uber, and be alert to potential phishing emails and scam calls.
It added that users should, however, not feel obliged to delete the app because "the incident took place over a year ago and we have seen no evidence of additional risk having the app on your phone today."
Uber is also due to appear in court on 11 December to appeal against Transport for London's decision to not renew its private-hire licence over concerns it is not a "fit and proper" operator.