Brighton & Hove Council
November 25 2017
Dear Mr Court
Uber Breach of Data
I write to you with reference to the serious matter of Uber concealing a breach of data and the councils continuous support of Uber being ‘Fit and Proper’ to hold a Brighton & Hove Operators licence.
Reports have stated that some 57 million account holders and some 600,000 driver details were stolen in 2016 .
It is one matter having such a breach of security in the first place but it is an entirely different matter that such a serious breach in 2016 was never revealed to the public or regulators until one year later in November 2017 when it was revealed that it had paid 'hush money' to the hackers.
When it is considered that Fred Jones of Uber immediately ‘reached out’ to the public to condemn TfL and the Mayor of London Sadiq Khan for refusing to re-licence Uber and yet remained absolutely silent with no warning to the public when data was stolen... such inaction can clearly demonstrate the fitness of an organisation that is fully supported by the council.
It is presumed that Mr Fred Jones gave no indication to the council that Uber tried to hide this serious data breach when applying for the renewal of the Uber Brighton & Hove Operators Licence when presenting the company as ‘Fit Proper’ to hold such a licence.
We have since learnt that TfL are now involved in the investigation and on the principle that Brighton & Hove Council Hove have based the recent re-licensing of Uber on how TfL are managing the refusal of the Uber London Licence we now call on Brighton & Hove Council to act in the same way as TfL and carry out its own investigation into the breach of data and the implications of Uber remaining silent about this for over a year.
We also require the council to justify to the trade that it still considers Uber to be ‘Fit and Proper’ to hold a Brighton & Hove Operators Licence.
Evening Standard - TfL investigates whether massive Uber cyber attack impacted Londoners
“The ride-hailing firm admitted this week to concealing a cyber-attack that affected 57 million customers and drivers last year.
Security services and the information watchdog were left scrabbling to assess the scale of the damage on Tuesday, amid warnings Uber's secrecy could result in "higher fines".
The firm hid the breach by reportedly paying hackers a ransom of £75,000 ($100,000) to delete the data and keep the security lapse quiet.
While Uber said it could not confirm how many customers in the UK had their details compromised, TfL said they are working to establish whether the hack affected Londoners. A TfL spokesman said: “We are working to gain clarity from Uber on whether any of the issues seen in the US have occurred here.
“We are pressing them for the full details of what has happened so that we can be satisfied that all the right protections are in place for the personal data of drivers and customers in London.”
Stolen information included names, email addresses and mobile phone numbers, in addition to the names and number plates of 600,000 drivers in the US
Prime Minister Theresa May's official spokesman said: "These are obviously concerning reports and the National Cyber Security Centre is working closely with domestic and international agencies, including the National Crime Agency and the Information Commissioner's Office, to investigate if and how this breach has affected people in the UK. "It is a worldwide incident and it is unclear at this stage which countries were affected by the hack.
"What we do know is, based on current information, we have not seen evidence that financial details have been compromised." He added that Uber "did not notify individuals in the UK, the UK Government or UK regulators" at the time the hack was discovered in October last year.
The Information Commissioner's Office (ICO) warned Uber it could face fines, saying the incident raised "huge concerns around its data protection policies and ethics". The tech company reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the incident did not become public.
Company executives had then dressed up the breach as a "bug bounty", the practice of paying hackers to test the strength of software security, according to The New York Times. James Dipple-Johnstone, deputy commissioner of the information watchdog, said: "Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.
"It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.
"If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.
He added: "Deliberately concealing breaches from regulators and citizens could attract higher fines for companies."
Please note that I have supplied a copy of this email to various organisations...publications ....individuals and interested parties and with respect your reply will be made publically available unless you specifically refuse permission.
I look forward to your early reply on such an important matter.
GMB Brighton & Hove Taxi Section