There is no evidence that Uber customers who had their personal details stolen are at risk of direct financial crime, a minister has insisted, despite hundreds of users complaining that their accounts have been hacked from Russia.
The digital minister, Matt Hancock, told the House of Commons, on Thursday, that the government was still trying to gauge the number of people in the UK affected by the global breach of the personal information of 57 million customers and drivers in October last year, which the company initially concealed.
On Thursday, the Times reported that more than 800 people in Britain and the US have complained on Twitter of having their accounts hacked by Russians and being billed in roubles for taxi journeys in Moscow and St Petersberg.
Those hacks could be unrelated to last yearâs breach but since the October attack came to light on Monday, some users have suggested there is a link , despite Uberâs protestations that there was âno evidenceâ of fraud or misuse of accounts as a result of the hack.
Responding to an urgent question by the Labour MP, Wes Streeting, Hancock said: âAt this stage our initial assessment is, for Uber customers, that the stolen information is not the sort of information that would allow direct financial crime but we are working urgently to verify this and we rule nothing out.â
He urged Uber customers and drivers to monitor their accounts carefully and report any irregularities, adding: âPeople just need to make sure they do not respond to a phishing email.â
Hancock was not directly asked about the reports of hacking of peopleâs accounts from Russia. However, the minister did say that the 2016 attack appeared to have been perpetrated from outside the UK.
Streeting said it was âoutrageousâ that Uber had not told the government yet how many people in the UK had been affected by the breach in October last year. âWhat assurances do we have that the data of Uber customers and drivers isnât in the hands of hackers or criminals today?â he asked.
After a report by Bloomberg, Uberâs chief executive revealed on Tuesday that a third-party server had been infiltrated in late 2016.
A ransom of $100,000 (Â£75,500) was paid to hackers so they would delete the data and keep the security lapse quiet.
Stolen information included names, email addresses and mobile phone numbers, as well as the names and number plates of 600,000 drivers in the US.
Hancock confirmed that the UK authorities were not told of the breach before Uber spoke to the media.
The Information Commissionerâs Office (ICO) has warned Uber it could face fines as a result of the breach. At the moment the maximum fine is limited to Â£500,000 but Hancock said the government was looking to boost the ICOâs powers under a new bill.
He said delayed reporting of breaches was already an aggravating factor but the new legislation would oblige companies to to report breaches âlikely to impact on data subjects to the information commissioner within 72 hours of becoming aware of it and in serious cases will also have to notify those affected by the breachâ.
Hancock said non-compliant companies could face fines of Â£18m or 4% of global turnover.