Government needs to act now over Uber's personal data breach

November 23, 2017



Uber: Personal Data Theft
23 November 2017

Volume 631

Kevin Brennan (Cardiff West) (Lab): When Transport for London announced on 22 September that it would not renew Uber’s licence in London, Uber emailed its customers the very same day to ask them to protest against the decision. Does the Minister agree that if it could email all its customers then, it should do so now, and begin that communication with an apology?

I would be grateful if the Minister answered the following questions. Can he give us a rough idea—I know he said he was looking into the precise figures—of how many customers and drivers in the UK had their personal information compromised by the hack and what kind of data was compromised? What was the first contact Uber had with the Government and when did it happen? When did he personally become aware of this security breach? In his view and that of the Government, has Uber broken current UK law? If it has not done so already, will he or the Secretary of State call Uber into the Department immediately, or over the weekend if necessary, to explain itself and give more information about the breach?

Given the magnitude of the breach, has the Minister satisfied himself about the facts of the case, particularly given that if regulation requires strengthening, we can do it right now in the other place in the Data Protection Bill, as he has pointed out? I think that he said in his answer that he learned about the breach on Tuesday. Can he confirm that despite that, just yesterday in the House of Lords, the Government blocked the ability of consumer groups such as Which? to initiate action for victims of data breaches? Will he commit now—I think that he said he was prepared to make some movement—to reversing that position when the amendment comes before the House of Lords on Report, to show that we are on the side of consumers and employers, not huge corporations that are careless with our data?

Matt Hancock: I will try to address all the hon. Gentleman’s questions. We do not have sufficient confidence in the number that Uber has told us to go public on it, but we are working with the National Cyber Security Centre and the ICO to have more confidence in the figure. He will remember in the Equifax breach that the initial figure suggested went up. We want to get to the bottom of it and will publish further details within days, and if required I will be happy to come before the House to take further questions.

The hon. Gentleman asked when I personally knew about the breach. I knew about it when I was alerted by the media. As far as we are aware, the first notification to UK authorities—whether the Government, the ICO or the NCSC—was through the media. He asked whether Uber has done anything illegal under current UK law, which of course would be a matter for the courts, but I think there is a very high chance that it has.

The hon. Gentleman asked about taking action on behalf of data subjects following a data breach. I am strongly in favour of people being able to take action following a data breach, and we are legislating for that. The question debated yesterday in the other place was whether people should have to give their consent to action being taken on their behalf, and the whole principle behind the Data Protection Bill is to increase the level of consent required and people’s control over their own ​data. The proposed amendment pushed in the opposite direction, which is why we rejected it yesterday, but we will have the debate in this House, too.

(Hansard Link)