UK authorities were unaware of a mass data breach at Uber that potentially saw British customers’ personal details fall into the hands of cyber criminals.
Downing Street said the hack, which affected 57 million customers and drivers worldwide, had not been reported by the taxi-hailing firm after it hushed up the scandal.
Security services and the information watchdog have been left scrabbling to asses the scale of the damage amid warnings Uber’s secrecy could result in “higher fines”.
Uber said it could not yet confirm how many customers in the UK had their details compromised.
News of the hack came in an extraordinary admission by the US firm’s chief executive on Tuesday, revealing a third-party server had been infiltrated in late 2016.
A ransom of 100,000 US dollars (£75,500) had been paid to hackers so they would delete the data and keep the security lapse quiet.
Stolen information included names, email addresses and mobile phone numbers, as well as the names and number plates of 600,000 drivers in the US.
Prime Minister Theresa May’s official spokesman said: “These are obviously concerning reports and the National Cyber Security Centre is working closely with domestic and international agencies, including the National Crime Agency and the Information Commissioner’s Office, to investigate if and how this breach has affected people in the UK.
“It is a worldwide incident and it is unclear at this stage which countries were affected by the hack. What we do know is, based on current information, we have not seen evidence that financial details have been compromised.”
He added that Uber “did not notify individuals in the UK, the UK Government or UK regulators” at the time the hack was discovered in October last year.
The Information Commissioner’s Office (ICO) warned Uber it could face fines, saying the incident raised “huge concerns around its data protection policies and ethics”.
The tech company reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the incident did not become public.
Company executives had then dressed up the breach as a “bug bounty”, the practice of paying hackers to test the strength of software security, according to The New York Times.
Uber chief executive Dara Khosrowshahi, who took over in August, said in a blog there had been “no indication” trip history, credit card details, bank account numbers or dates of birth were downloaded by the hackers.
He wrote: “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
Affected accounts have been flagged for additional fraud protection, Mr Khosrowshahi said.
“None of this should have happened, and I will not make excuses for it,” he wrote. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Data protection lawyers at the Leigh Day legal firm said a “huge number of claims” could be brought against Uber by its customers as a result of the security failing.
Sweeping reforms to data protection laws are to be introduced in the EU next year under the General Data Protection Regulation. It will force companies to officially log data breaches in a timely manner.
Failure to do so could result in a fine which can be 4% of global turnover or millions of pounds.
A spokesman Transport for London, which this year announced it would not be renewing Uber’s licence in the capital, said: “We are working to gain clarity from Uber on whether any of the issues seen in the US have occurred here.”