Singapore Markets closed

Uber probed by global regulators over huge data breach and cover up

Arjun Kharpal
Three top managers have resigned from Uber's international, business operations and physical security teams.

Regulators around the world are probing a massive data breach at ride-hailing service Uber and its apparent role in covering it up.

On Tuesday, Uber disclosed that hackers stole data from 57 million riders and drivers in an attack that happened in 2016. The company paid the hackers $100,000 to delete the data and keep the breach quiet.

Uber fired Chief Security Officer Joe Sullivan for his role and CEO Dara Khosrowshahi , who was not with the company at the time of the hack, said "none of this should have happened."

But the U.S. technology firm is now in the cross-hairs of regulators around the world.

Australia's data protection watchdog said it has "commenced inquiries with Uber."

"Incidents such as this are a timely reminder to Australians of the value of the personal information we provide in order to receive products and services," the Australian Information and Privacy Commissioner's office, said in a statement on Wednesday.

Singapore's Personal Data Protection Commission told CNBC in an emailed statement on Thursday that it is "aware of the breach and is in touch with Uber for more details."

The U.K.'s Information Commissioner's Office (ICO) told CNBC on Wednesday that Uber could face an investigation and even potential fines up to £500,000 ($661,900).

"We will be investigating but as regards what actions we eventually take, that depends on what we find, and obviously it's very early days at this stage," an ICO spokesperson told CNBC by phone on Wednesday.

Uber did not immediately respond when contacted by CNBC for comment.

At home in the U.S., five states said they would investigate the data breach, according to a Recode report on Wednesday.


Many jurisdictions have penalties if a company is found to be in breach of data protection laws. Australia for example could charge up to 420,000 Australian dollars ($320,000) if it deems a company to have been involved in a case that is a "serious or repeated interference with privacy."

Singapore's authorities could tell a company to destroy personal data collected that contravenes its data privacy laws. It could also ask the company to provide access to or correct personal data of customers. And Singapore could also fine the company up to 1 million Singapore dollars or $742,390.

It's important to note that many of the discussions with Uber are in their early stages and there is no indication yet about what actions regulators will take.

The regulatory scrutiny across the world could add to Uber's other troubles in certain markets. For example in the U.K., Uber is currently in a legal battle about whether its drivers should be classed as employees or self-employed. And in the British capital of London, Uber is appealing a ban .