Instead of disclosing the incident when it was discovered, the company decided to pay a ransom of $100,000 to delete the stolen data. Data privacy regulators in the US, UK and Europe have all announced plans to investigate, and lawsuits have already been filed in a number of US states including California, Illinois and Washington for failure to notify those affected within an appropriate amount of time. Uber kept the breach secret for over a year.
Laws which will be introduced in Australia next February will force organisations to contact victims and report data theft to the Australian Privacy Commissioner.
Uber has apologised for the incident, but the breach could have serious implications for other companies and digital service providers.
Europe is experiencing a turning point when it comes to the regulation of personal data. The EU’s General Data Protection Regulation comes into force next year and its impact on companies that process personal data will be substantial.
Many privacy lawmakers will be looking very closely at the Uber incident, which is likely to adversely affect the value of the company.