(Urgent Question): To ask the Secretary of State for Digital, Culture, Media and Sport to make a statement on Government responsibilities and policies for protecting British citizens, following the theft of the personal data of 57 million Uber customers and drivers.
Late on Tuesday, we were notified by the media of a potentially significant data breach of Uber driver and customer data. Uber had failed to tell the UK authorities before it spoke to the media about this. The breach appears to date back over a year and to involve Uber paying criminals money to try to prevent further data loss. We are told that some UK citizens’ data is affected.
We are verifying the extent and the amount of information. When we have a sufficient assessment, we will publish the details of the impact on UK citizens, and we plan to do that in a matter of days. As far as we can tell, the hack was not perpetrated in the UK, so our role is to understand how UK citizens are affected. We are working with the Information Commissioner’s Office and the National Cyber Security Centre, and they are talking to the US Federal Trade Commission and others to get to the bottom of things.
At this stage, our initial assessment is that the stolen information is not the sort that would allow direct financial crime, but we are working urgently to verify that further, and we rule nothing out. Our advice to Uber drivers and customers is to be vigilant and to monitor accounts, especially for phishing activity. If anyone thinks they are a victim, contact the Action Fraud helpline and follow the NCSC guidance on passwords and best practice.
More broadly, the general data protection regulation and the new Data Protection Bill, which is currently before the other place, will introduce a package of tougher measures to address data breaches. Delayed reporting is already an aggravating factor, but the new Bill will require organisations to report breaches likely to impact on data subjects to the Information Commissioner within 72 hours of becoming aware of one. In serious cases, they will also have to notify those affected by the breach. The commissioner will have increased powers to respond in the way that she considers appropriate, including with fines of up £18 million or 4% of global turnover. We are making further assessments as I speak, and we will keep the public and the House updated.
I thank the Minister for that reply. Did I hear correctly that, even after the Government learned about the data breach, they are still not in a position to tell the public how many customers and drivers in the UK have had their personal data compromised? If so, that is outrageous on Uber’s part. Uber apparently paid criminal hackers $100,000 to delete the data and keep quiet, but what assurances do we have that the data of Uber customers and drivers is not in the hands of hackers or criminals today?
UK authorities have acted swiftly since the security breach came to light, so will the Government therefore push for the toughest penalties to punish Uber for this outrageous dereliction of its ethical and legal obligations to the public? Under EU law, Uber could face a fine of €20 million or 4% of its annual global turnover—whichever is greater—but the maximum fine from the ICO is just half a million pounds. Will the Minister review the maximum fines in the UK once we leave the EU? In any case, does he really think that a fine will cut it in this case? Does he think that a company that covers up the theft of data and pays a ransom to criminal hackers can possibly be considered a fit and proper operator of licensed minicabs in our towns and cities? If not, what are the Government going to do about it? When Transport for London finally took action over Uber’s abysmal safety record, the Conservative party handed out leaflets attacking the Mayor. Does the Minister agree that that is not a good look for the Government today, and will he revisit that choice?
Like the Minister, I am pro-tech, pro-competition and pro-innovation, but given that Uber stands accused by the Metropolitan Police of failing to handle serious allegations of rape and sexual assault appropriately, given that Uber has to be dragged through the courts to provide its drivers with basic employment rights and to pay its fair share of VAT and given that we now know that Uber plays fast and loose with the personal data of its 57 million customers and drivers, is it not time that the Government stopped cosying up to this grubby, unethical company and started standing up for the public interest?
Licensing taxi companies and private hire companies is rightly for local authorities. This is a data protection issue, and we are dealing with it with the utmost urgency. The hon. Gentleman mentioned fines, and we are currently legislating for the higher fines that I mentioned in my initial response, and that legislation will come to this House after Christmas. As for ensuring that organisations that think that the data they hold on behalf of customers or others has been breached, they already have a responsibility to protect that data. In future, they will have a responsibility to inform the authorities within 72 hours. Delaying notification is unacceptable unless there is a very good reason and is, as I said, an aggravating factor when the Information Commissioner looks into such cases.
I thank my right hon. Friend for his answers. Given the knowledge he has already gleaned from this disgraceful data breach, does he propose to make any further amendments to the Data Protection Bill, which has been brought before the Lords and which will come here in due course, to strengthen the powers to make sure that companies report such breaches at an early stage and take further measures to safeguard customers’ personal data?
We can debate that when the Bill comes to this House. As it happens, on our initial assessment, the two most concerning issues—the delay in notification and the need for recourse and fines, not just to punish bad behaviour but to incentivise good behaviour—are already covered in the Bill, but we can have that debate in due course, when we have a fuller assessment of the information and more confidence in that assessment, when the Bill comes before us.
When Transport for London announced on 22 September that it would not renew Uber’s licence in London, Uber emailed its customers the very same day to ask them to protest against the decision. Does the Minister agree that if it could email all its customers then, it should do so now, and begin that communication with an apology?
I would be grateful if the Minister answered the following questions. Can he give us a rough idea—I know he said he was looking into the precise figures—of how many customers and drivers in the UK had their personal information compromised by the hack and what kind of data was compromised? What was the first contact Uber had with the Government and when did it happen? When did he personally become aware of this security breach? In his view and that of the Government, has Uber broken current UK law? If it has not done so already, will he or the Secretary of State call Uber into the Department immediately, or over the weekend if necessary, to explain itself and give more information about the breach?
Given the magnitude of the breach, has the Minister satisfied himself about the facts of the case, particularly given that if regulation requires strengthening, we can do it right now in the other place in the Data Protection Bill, as he has pointed out? I think that he said in his answer that he learned about the breach on Tuesday. Can he confirm that despite that, just yesterday in the House of Lords, the Government blocked the ability of consumer groups such as Which? to initiate action for victims of data breaches? Will he commit now—I think that he said he was prepared to make some movement—to reversing that position when the amendment comes before the House of Lords on Report, to show that we are on the side of consumers and employers, not huge corporations that are careless with our data?
I will try to address all the hon. Gentleman’s questions. We do not have sufficient confidence in the number that Uber has told us to go public on it, but we are working with the National Cyber Security Centre and the ICO to have more confidence in the figure. He will remember in the Equifax breach that the initial figure suggested went up. We want to get to the bottom of it and will publish further details within days, and if required I will be happy to come before the House to take further questions.
The hon. Gentleman asked when I personally knew about the breach. I knew about it when I was alerted by the media. As far as we are aware, the first notification to UK authorities—whether the Government, the ICO or the NCSC—was through the media. He asked whether Uber has done anything illegal under current UK law, which of course would be a matter for the courts, but I think there is a very high chance that it has.
The hon. Gentleman asked about taking action on behalf of data subjects following a data breach. I am strongly in favour of people being able to take action following a data breach, and we are legislating for that. The question debated yesterday in the other place was whether people should have to give their consent to action being taken on their behalf, and the whole principle behind the Data Protection Bill is to increase the level of consent required and people’s control over their own data. The proposed amendment pushed in the opposite direction, which is why we rejected it yesterday, but we will have the debate in this House, too.
Order. I advise the House that I am very keen to press on to the next business at 11 o’clock, so people should pose single-sentence, short questions, which will be addressed with the characteristic succinctness of the Minister for Digital.
The situation is extremely concerning not only for London users but for users of Uber South Coast, which operates in and around Southampton. What is the Minister doing to hold to account companies that lose data and then seek to hide from their responsibilities?
Not only will we, of course, use the full force of the existing law, but we are strengthening the law to give people more power and control over their data.
People across the UK will be shocked that Uber failed to notify the Information Commissioner, the National Cyber Security Centre or the UK Government. Given the current climate, covering up this breach and paying hackers could actually stimulate the growth of cyber-crime. What measures will the Minister consider to hold Uber to account? If people in Scotland are affected, will he work with the Scottish Government and share information with them?
Yes, of course I will. We rule nothing out.
Obviously, there will be an awful lot of very worried people out there with Uber accounts. Can we please have some reassurance from the Minister that, first, Uber will be held to account and, secondly, that we have the right legislation and structures in place to stop such things happening?
Yes, I give the assurance that, at this stage, our initial assessment is that, for Uber customers, the stolen information is not the sort that would allow direct financial crime. People just need to make sure that they do not respond to phishing emails and that they follow NSCS guidance.
Uber’s scandalous disregard for the rights of the millions of people who have entrusted it with their personal data shows that we need stronger protection. There was a suggestion in yesterday’s Budget that there will be a centre for data ethics. Can the Minister shed some light on the centre’s relationship with the Information Commissioner’s Office to ensure that we can deal with these over-mighty companies in the way that my hon. Friend the Member for Ilford North (Wes Streeting) suggested?
This is an important subject. The Information Commissioner, of course, is the regulator, and we think that there is a broader question to ensure that the modern use of data is both innovative and follows a decent set of ethics, which is what the proposed centre is all about.
Does my right hon. Friend intend to have any discussions with his international counterparts, given the international and cross-border nature of the problem?
Yes. As I said, we have already had discussions with the US Federal Trade Commission and with the Dutch authorities—Uber’s European headquarters is in Holland, so they are pertinent to the matter.
The Minister has mentioned the forthcoming data protection regulations, but there is currently no requirement for a private company to report a data breach, although it is recommended. What will the Government do, between now and the introduction of the data protection regulations, to ensure that companies make people aware when their data is stolen?
The new data protection rules will come into force on 25 May 2018, and it is important that we get the Bill through before then. The premise of the hon. Lady’s question is not quite right. It is already an aggravating factor if a breach is not reported promptly.
Market disrupters that not only rely on data but are driven by data will increasingly play an important part in the UK economy. What steps is the Department taking to ensure the confidence of the British public in such data-driven market disrupters?
The single best thing anybody in this House can do to try to improve our ability to respond to this sort of issue is to vote for the Data Protection Bill when it comes before this House.
I thank the Minister for his response. How will he enable big businesses to grasp their responsibility for private, detailed, confidential and significant personal data? They need to protect it as though it is their very own, and it is clear that at the moment they simply do not do that.
There is a lot of sense in what the hon. Gentleman says, and I hope that the action we are taking is everything we can do to keep people’s data safe in response to this incident. More broadly, strengthening the rules will help give people more control over their data and help to punish those who do not have high data protection standards.