Uber has said it estimates that 2.7 million rider and driver accounts in the UK were compromised in a huge 2016 data breach that was concealed by executives for more than a year.
It said the information compromised included names, email addresses, and mobile phone numbers but that it had not seen "any indication" that trip location history, credit card numbers, bank account numbers, or dates of birth were downloaded. Uber had seen "no evidence of fraud or misuse tied to the incident", it said.
That 2.7 million figure was an "approximation rather than an accurate and definitive count," the company added, "because sometimes the information we get through the app or our website that we use to assign a country code is not the same as the country where a person actually lives."
Uber confirmed earlier this month that it had discovered that, for more than a year, some of its executives had concealed a data breach that compromised the information of 57 million accounts, following a report by Bloomberg. Executives reportedly paid $100,000 to the hackers in exchange for their silence about the incident.
The breach, which happened in October 2016, affected users from around the world. Matt Hancock MP, the minister of state for digital, told parliament on Thursday that he first heard of the breach "through the media".
Uber's CEO, Dara Khosrowshahi, said he too had just learned about the breach as the news broke. "None of this should have happened, and I will not make excuses for it," he wrote in a blog post. It is reported that those executives who had knowledge of the breach have had their contracts terminated.
The revelation has prompted investigations from regulators around the world, including the Information Commissioner's Office in the UK. The UK's National Cyber Security Centre said it had not seen evidence that any financial details had been compromised but urged customers to immediately change any passwords used with Uber and be alert to potential phishing emails and scam calls.
It added that users should, however, not feel obliged to delete the app, because "the incident took place over a year ago and we have seen no evidence of additional risk having the app on your phone today".
Matt Hancock MP said UK authorities would work to verify these figures and confirm whether any additional types of personal data have been compromised. He said the government expects Uber to "cooperate fully and promptly" with the "urgency it demands."
"The Government takes both the protection of personal data and the right to privacy extremely seriously. It is always the company's responsibility to identify when UK citizens have been affected as part of a data breach and to take steps to reduce any harm to consumers, and it is welcome Uber has done this," he said.
"Relevant authorities in the UK and overseas will continue to work together to ensure the data protection interests of UK citizens are upheld."
Reacting to Uber's announcement, the mayor of London Sadiq Khan said it was a "shocking development" that would "alarm millions of Londoners whose personal data could have been stolen by criminals".
"Uber need to urgently confirm which of their customers are affected, what is being done to ensure these customers don't suffer adversely, and what action is being taken to prevent this happening again in the future," he said.
“The public will want to know how there could be this catastrophic breach of personal data security.”