Uber is the latest company to reveal a hack that’s affected 57 million customers and 600,000 drivers. We think it’s time you had better routes to redress when your data is compromised – do you agree?
It’s been reported today that Uber’s breach, which happened in 2016, was concealed by the global transportation giant, who paid the hackers to delete the data.
A spokesperson for Uber told us: ‘The compromised data included the names and driver’s license numbers of around 600,000 drivers in the United States, and some personal information of 57 million Uber users around the world, including names, email addresses and mobile phone numbers.’
They added: ‘At the time of the incident, immediate steps were taken by Uber to secure the data and obtain assurances that the downloaded data had been destroyed.
‘The incident did not breach Uber’s corporate systems or infrastructure, and outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth were downloaded.’
While the Information Commissioner’s Office has warned Uber that it faces ‘higher fines’ for concealing the breach, an enormous number of people have been affected by it. In our view, not only does your data need better protection, but you also need better avenues for redress when your data is misused.
In a joint letter to the Digital Minister, Matt Hancock MP, Which?, Age UK, Privacy International and the Open Rights Group have called on the government to make it easier to seek redress for data breaches.
We believe the government should amend the Data Protection Bill, which is currently going through Parliament, to allow independent bodies to take collective redress on behalf of customers when a company has failed to take sufficient action following a data breach.
Data breaches, such as Uber’s, are becoming more common and yet the legal protections for consumers are still lagging behind.
As it stands the law is clear: should your data be compromised you have the right to redress from the company.
Your first step for actually doing so is to contact the company to find out what it is offering. If the company won’t provide you with redress, or what it has offered isn’t good enough, the only other option is to take the company to court yourself. This means a potentially lengthy and costly legal process.
Redress isn’t always financial compensation, in many cases, this could be additional security credit checks or a monitoring service.
We think the best way to ensure that adequate redress is sought for consumers’ who’ve been party to a significant data breach is to allow independent organisations acting in the public interest to take action collectively on behalf of all those who have been affected.
A collective regime would improve processes, cut legal costs and court time, allow companies to address all claims at once and ultimately ensure that data breach victims get appropriate redress for misuse of their data.
Action on redress
Uber’s data breach – and the fact that it hid it – will worry both its customers and drivers. We think it’s critical that the company does all that it can to ensure affected people get clear information about what’s happened.
In the meantime, we’ll be continuing to make the case for collective redress. If you have suffered a data breach and your information was lost then share your story with us and help us make the case for collective redress.
Update: 29 November 2017
Uber has revealed that 2.7 million UK users have been affected by the data breach. The hackers accessed the names, email addresses and mobile numbers of passengers and drivers.
Our managing director of home products and services, Alex Neil, said:
‘Uber’s data breach – and the fact that it was hidden – will worry UK customers and drivers alike. It is critical that the company does all that it can to ensure affected people get clear information about what has happened.
‘Data breaches are becoming more and more common and yet the protections for consumers are lagging behind. The UK Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of affected customers when a company has failed to take sufficient action following a data breach.’
Are you an Uber customer? Are you concerned that your data has been compromised? Do you think victims of data breaches should have easier routes to redress?