New York, US (Reuters): Governments around the globe launched investigations into Uber Technologies Inc after the company disclosed it had covered up a breach that exposed data on millions of customers and drivers, the latest scandal to rock the ride-hailing firm.
Some US lawmakers called for Congressional hearings and implored the Federal Trade Commission (FTC) to look into the matter.
Uber said on Wednesday that it has been in touch with the US Federal Trade Commission (FTC) and several states to discuss a hack last year that exposed data on millions of customers and drivers, the latest scandal to rock the ride-hailing firm.
“We’ve been in touch with several state Attorney General Offices and the FTC to discuss this issue, and we stand ready to cooperate with them going forward,” an Uber spokesperson said in a emailed statement.
Uber said on Tuesday that in late 2016 it had paid hackers $100,000 (£75,213.29) to destroy data on more than 57 million customers and driver stolen from the company and decided not to report the matter to victims or authorities.
The money-losing ride-hailing service is known for the tough stance it has taken against regulators as it seeks to aggressively expand and compete with existing taxi services.
Attorneys general in at least four US states, Connecticut, Illinois, Massachusetts and New York, said they had launched investigations into the breach .
“We have serious concerns about the reported conduct,” Massachusetts Attorney General Maura Healey said in a statement.
US Senator Richard Blumenthal took to Twitter to call for the FTC to investigate Uber , describing the company’s behaviour as “inexplicable” and asking for the FTC to impose “significant penalties.”
The FTC, which investigates companies accused of being sloppy with consumer data, said it was looking into the matter, but declined to say if it had launched a formal investigation.
US Representative Frank Pallone called for a Congressional hearing.
Britain’s data protection authority said it would work with agencies in the United Kingdom and overseas to investigate the matter.
“If UK citizens were affected, then we should have been notified so that we could assess and verify the impact on people whose data was exposed,” James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner’s Office, said in a statement.
British law carries a maximum penalty of 500,000 pounds ($662,000) for failing to notify users and regulators when data breaches occur.
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” Dipple-Johnstone said.
The stolen information included names, email addresses and phone numbers of 57 million Uber users around the world, and the names and license numbers of 600,000 US drivers, according to a blog post by Uber’s new chief executive, Dara Khosrowshahi, who replaced co-founder Travis Kalanick as CEO in August.
Uber said it fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week over their role in the incident. Sullivan, formerly the top security official at Facebook Inc and a federal prosecutor, served as both security chief and deputy general counsel for Uber .
Sullivan declined comment. Clark could not be reached for comment.
Kalanick, through a spokesman, declined to comment. The former CEO remains on the Uber board of directors, and Khosrowshahi has said he consults with him regularly.