Due to the lack of federal law surrounding data breach notification, Uber is subject to a number laws across 48 states, some of which state that users must be notified immediately of a data breach of their personal information. Hackers were also able to steal the driver's license numbers of roughly 600,000 Uber drivers in the United States.
The chair of the group of European data protection authorities - known as the Article 29 Working Party - said on Thursday the data breach would be discussed at its meeting on November 28 and 29.
We've reached out to the FTC to ask whether it believes Uber has breached the prior consent order and also if it intends to open a formal investigation into the 2016 breach, and will update this story with any response.
'It is a worldwide incident and it is unclear at this stage which countries were affected by the hack.
We are notifying regulatory authorities.
The tech company reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the incident did not become public. The company also ousted its security chief. The Information Commissioner's Office (ICO) has begun an investigation and said it had "huge concerns"... "We will seek explanation from the company and find out whether there has been a breach of data in India as well", Ajay Kumar, additional secretary at the ministry of electronics and information technology told TOI here.
'If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.
So Uber is likely to have breached state laws by concealing the breach for so long.
At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals.
'We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed'.
'While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes'.
The fact Uber allowed not one but two attacks to happen, spaced years apart, because engineers put access keys in a publicly accessible location suggests security was hardly being considered - let alone prioritized.