Uber has confirmed that data for about 2.7 million customers in the United Kingdom was stolen in the 2016 breach that affected at least 57 million people worldwide. Reports revealed last week that Uber tried to keep the hack secret for more than a year, and even paid the hackers $100,000 to delete the information and stay mum about the whole mess.
The new revelation about UK victims of the breach comes via the nation’s Information Commissioner’s Office, a data protection agency. In a report released today, ICO deputy commissioner James Dipple-Johnstone wrote that,“Uber has said the breach involved names, mobile phone numbers and email addresses.”
But the agency is still trying to confirm the scope of the breach. “As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised,” Johnstone wrote.
Uber did not respond to a Gizmodo request for comment. A section about the 2016 breach on Uber’s help page states that the company’s “outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.”
Responding to the report, London mayor Sadiq Khan told The Telegraph “Uber needs to urgently confirm which of their customers are affected, what is being done to ensure these customers don’t suffer adversely, and what action is being taken to prevent this happening again in the future.”
Stateside, Uber is also just beginning to face government scrutiny over the hack. On Monday, Republicans and Democrats in Congress began pressuring Uber to disclose more information about its handling the breach. And the company is already facing about a dozen federal lawsuits related to the incident.