- Uber could face an investigation and fines in the U.K. after covering up a data breach
- In 2016, hackers stole names and driver's license numbers of around 600,000 Uber drivers, as well as some rider names, email addresses, and phone numbers
- The U.K.'s Information Commissioner's Office (ICO) said Uber's move to conceal the data breach "raises huge concerns about its data protection policies and ethics"
Uber could face an investigation and potential fines in the U.K. after covering up a massive data breach, the country's data watchdog told CNBC on Wednesday.
On Tuesday, Uber revealed that it had suffered a hack by two people on its third-party cloud service. The names and driver's license numbers of around 600,000 drivers in the U.S. were stolen, as well as some rider names, email addresses, and phone numbers. In total, 57 million people were affected.
The ride-hailing company also paid those hackers $100,000 to delete the data and keep the breach quiet.
Britain's Information Commissioner's Office (ICO), which was set up to ensure companies are protecting the privacy of individuals, said it was looking into the breach and Uber's subsequent actions.
"We will be investigating but as regards what actions we eventually take that depends on what we find, and obviously it's very early days at this stage," an ICO spokesperson told CNBC by phone on Wednesday.
In a separate statement posted online, ICO Deputy Commissioner James Dipple-Johnstone said Uber's actions to conceal the data breach "raises huge concerns around its data protection policies and ethics."
"If U.K. citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed," Dipple-Johnstone said.
He added that the ICO will be working with the U.K.'s National Cyber Security Centre to determine the scale of the breach, how it has affected people in Britain, and what steps Uber needs to take next.
"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies," Dipple-Johnstone said.
The ICO has a number of punishments it can hand out to companies that breach their rules. One of those is issuing fines up to £500,000 ($661,900).
"None of this should have happened, and I will not make excuses for it," CEO Dara Khosrowshahi said in the statement after the breach was disclosed. Khosrowshahi was not at the company at the time of the hack. Former CEO Travis Kalanick was in charge.
The ICO investigation adds to Uber's mounting problems in the U.K., where it has around 40,000 drivers. Earlier this year, London's transport authorities failed to renew Uber's operating license, effectively banning it from operating in the British capital. However, Uber lodged an appeal against the decision, allowing it to continue business while the process is ongoing.
And earlier this month, an employment tribunal rules that Uber's drivers should be classified as workers and not self-employed, which would entitle them to benefits such as minimum wage and holiday pay. Uber said it plans to appeal the ruling.