Brighton won’t renew Uber’s licence due to data breach concerns
3 May 2018
In November last year, ride-hailing service Uber announced that a data breach it suffered in 2016, and concealed from the public for over a year, impacted as many as 2.7 million Britons, including both drivers and riders.
Following Uber’s admission, the National Cyber Security Centre said that even though the breach involved usernames, email addresses and mobile phone numbers of 2.7 million Brits, the stolen information does not pose a direct threat to people or allow direct financial crime.
However, the cyber security watchdog asked users to remain vigilant and to contact Action Fraud if they believe their personal details had been misused. At the same time, victims were asked to be vigilant against suspicious phone calls or targeted emails.
Uber could be forced to pay huge fines
Taking cognizance of the fact that personal details of millions of Brits were compromised by the breach as well as due to Uber’s inaction following the breach, the Information Commissioner’s Office said that the ride-hailing service, whose license to operate in the UK was revoked, could face huge fines for deliberately concealing the breach from citizens and regulators.
“We are working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.
“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” said James Dipple-Johnstone, deputy commissioner, ICO.
Uber not safe enough to operate
Earlier this week, the local council of Brighton announced that it will not renew Uber’s licence to operate in the region not only due to the data breach but also because of the firm’s lack of commitment to use drivers licenced in Brighton.
“When making Hackney Carriage and Private Hire operator licensing decisions, our priority is the safety of residents and visitors and, due to the data breach and the lack of commitment to using drivers licensed here, we were not satisfied that UBL [Uber Britannia Ltd] are a fit and proper person to hold an operator’s licence in the city,” said Councillor Jackie O’Quinn, the Chair of Brighton’s licensing panel.
“In the original application in 2015, UBL gave a firm commitment to adhere to the standards set out in the Blue Book and only to use Brighton & Hove licensed drivers. We do not feel the spirit of this commitment has been kept to. In the panel’s view, large numbers of taxis operating in the city that do not meet our Blue Book standards puts the safety of residents and visitors at potential risk,” she added.
The panel, which unanimously decided against renewing Uber’s licence to operate in the city, expressed significant concerns about the company’s data breach before arriving at the decision.
“This is a disappointing decision for the thousands of passengers and drivers who rely on our app in Brighton and Hove. We intend to appeal so we can continue serving the city,” said an Uber spokesman.
The massive data breach suffered by Uber in 2016 occurred after a developer mistakenly checked a password into GitHub, allowing hackers to use the password to infiltrate Uber’s digital infrastructure. This led many researchers to question whether Uber intended to address how its engineers would store or share passwords for GitHub accounts in the future.
Uber addressed such concerns earlier this year after it decided not to use GitHub for any purpose other than open-source projects and took steps to implement multifactor authentication for GitHub. However, the non-renewal of its licence to operate in Brighton suggests that the company needs to do a lot more to alleviate data breach concerns as well as concerns about the security of personal data of drivers and customers stored by it.