Struggling ride-hailing firm Uber faces a fresh regulatory crackdown after disclosing it paid hackers $100,000 to keep secret a massive breach last year that exposed personal data from around 57 million accounts.
Discovery of the U.S. company's cover-up of the incident resulted in the firing of two employees responsible for its response to the hack, said Dara Khosrowshahi, who replaced co-founder Travis Kalanick as chief executive in August.
"None of this should have happened, and I will not make excuses for it," Khosrowshahi said in a blog post.
Britain's data protection authority said on Wednesday that concealment of the data breach raises "huge concerns" about Uber's data policies and ethics.
"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies," James Dipple-Johnstone, deputy commissioner of the U.K. Information Commissioner's Office, said in a statement. Current British law carries a maximum penalty of 500,000 pounds ($662,000) for failing to notify users and regulators when data breaches occur.
The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and license numbers of 600,000 U.S. drivers, Khosrowshahi said. Uber declined to say what other countries may be affected.
Khosrowshahi also said Uber had begun notifying regulators. The New York attorney general has opened an investigation, a spokeswoman said. Regulators in Australia and the Philippines said on Wednesday they would also look into the matter.
Long known for its combative stance with local taxi regulators, Uber has faced a stream of top-level executive departures over issues from sexual harassment to data privacy to driver working conditions, which forced its board to remove Kalanick as CEO in June.
In recent months, London's transport regulator stripped Uber of its license to operate citing the company's failure to deal with public safety and security issues, although Uber is appealing against the decision and the new CEO has held talks with Transport for London to resolve the stand-off.
The agency said it was seeking more information from Uber.
"We are pressing them for the full details of what has happened so that we can be satisfied that all the right protections are in place for the personal data of drivers and customers in London," a Transport for London spokesman said.
Britain's National Cyber Security Centre said it was working with other national authorities to determine how UK citizens may have been affected, but added that it has no information, so far, that customer financial details had been compromised.