Uber: Personal Data Theft

Wes Streeting Excerpts
Thursday 23rd November 2017

(6 years, 4 months ago)

Commons Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts

Urgent Questions are proposed each morning by backbench MPs, and up to two may be selected each day by the Speaker. Chosen Urgent Questions are announced 30 minutes before Parliament sits each day.

Each Urgent Question requires a Government Minister to give a response on the debate topic.

This information is provided by Parallel Parliament and does not comprise part of the offical record

Wes Streeting Portrait Wes Streeting (Ilford North) (Lab)
- Hansard - -

(Urgent Question): To ask the Secretary of State for Digital, Culture, Media and Sport to make a statement on Government responsibilities and policies for protecting British citizens, following the theft of the personal data of 57 million Uber customers and drivers.

Matt Hancock Portrait The Minister for Digital (Matt Hancock)
- Hansard - - - Excerpts

Late on Tuesday, we were notified by the media of a potentially significant data breach of Uber driver and customer data. Uber had failed to tell the UK authorities before it spoke to the media about this. The breach appears to date back over a year and to involve Uber paying criminals money to try to prevent further data loss. We are told that some UK citizens’ data is affected.

We are verifying the extent and the amount of information. When we have a sufficient assessment, we will publish the details of the impact on UK citizens, and we plan to do that in a matter of days. As far as we can tell, the hack was not perpetrated in the UK, so our role is to understand how UK citizens are affected. We are working with the Information Commissioner’s Office and the National Cyber Security Centre, and they are talking to the US Federal Trade Commission and others to get to the bottom of things.

At this stage, our initial assessment is that the stolen information is not the sort that would allow direct financial crime, but we are working urgently to verify that further, and we rule nothing out. Our advice to Uber drivers and customers is to be vigilant and to monitor accounts, especially for phishing activity. If anyone thinks they are a victim, contact the Action Fraud helpline and follow the NCSC guidance on passwords and best practice.

More broadly, the general data protection regulation and the new Data Protection Bill, which is currently before the other place, will introduce a package of tougher measures to address data breaches. Delayed reporting is already an aggravating factor, but the new Bill will require organisations to report breaches likely to impact on data subjects to the Information Commissioner within 72 hours of becoming aware of one. In serious cases, they will also have to notify those affected by the breach. The commissioner will have increased powers to respond in the way that she considers appropriate, including with fines of up £18 million or 4% of global turnover. We are making further assessments as I speak, and we will keep the public and the House updated.

Wes Streeting Portrait Wes Streeting
- Hansard - -

I thank the Minister for that reply. Did I hear correctly that, even after the Government learned about the data breach, they are still not in a position to tell the public how many customers and drivers in the UK have had their personal data compromised? If so, that is outrageous on Uber’s part. Uber apparently paid criminal hackers $100,000 to delete the data and keep quiet, but what assurances do we have that the data of Uber customers and drivers is not in the hands of hackers or criminals today?

UK authorities have acted swiftly since the security breach came to light, so will the Government therefore push for the toughest penalties to punish Uber for this outrageous dereliction of its ethical and legal obligations to the public? Under EU law, Uber could face a fine of €20 million or 4% of its annual global turnover—whichever is greater—but the maximum fine from the ICO is just half a million pounds. Will the Minister review the maximum fines in the UK once we leave the EU? In any case, does he really think that a fine will cut it in this case? Does he think that a company that covers up the theft of data and pays a ransom to criminal hackers can possibly be considered a fit and proper operator of licensed minicabs in our towns and cities? If not, what are the Government going to do about it? When Transport for London finally took action over Uber’s abysmal safety record, the Conservative party handed out leaflets attacking the Mayor. Does the Minister agree that that is not a good look for the Government today, and will he revisit that choice?

Like the Minister, I am pro-tech, pro-competition and pro-innovation, but given that Uber stands accused by the Metropolitan Police of failing to handle serious allegations of rape and sexual assault appropriately, given that Uber has to be dragged through the courts to provide its drivers with basic employment rights and to pay its fair share of VAT and given that we now know that Uber plays fast and loose with the personal data of its 57 million customers and drivers, is it not time that the Government stopped cosying up to this grubby, unethical company and started standing up for the public interest?

Matt Hancock Portrait Matt Hancock
- Hansard - - - Excerpts

Licensing taxi companies and private hire companies is rightly for local authorities. This is a data protection issue, and we are dealing with it with the utmost urgency. The hon. Gentleman mentioned fines, and we are currently legislating for the higher fines that I mentioned in my initial response, and that legislation will come to this House after Christmas. As for ensuring that organisations that think that the data they hold on behalf of customers or others has been breached, they already have a responsibility to protect that data. In future, they will have a responsibility to inform the authorities within 72 hours. Delaying notification is unacceptable unless there is a very good reason and is, as I said, an aggravating factor when the Information Commissioner looks into such cases.