0:00:00 > 0:00:00kind of education they need to understand these attitudes are
0:00:00 > 0:00:03unacceptable and we do that from an early age.
0:00:03 > 0:00:09THE SPEAKER:Thank you. Urgent question, Wes Streeting.Thank you,
0:00:09 > 0:00:14to ask the Secretary of State for digital Culture, Media and Sport to
0:00:14 > 0:00:18make a statement on Government responsibilities and policies for
0:00:18 > 0:00:23protecting British citizens following the theft of the personal
0:00:23 > 0:00:28data of 57 million Uber customers and drivers.
0:00:28 > 0:00:32THE SPEAKER:The minister for digital Matt Hancock.Mr Speaker,
0:00:32 > 0:00:38late on Tuesday, we were notified by the media of a potentially
0:00:38 > 0:00:41significant data breach of Uber driver and customer data. Uber
0:00:41 > 0:00:47failed to tell the UK authorities before they spoke to the media. The
0:00:47 > 0:00:51breach appeared dated back over a year. Appears to have involved Uber
0:00:51 > 0:00:56paying criminals money to try to prevent further data loss. We are
0:00:56 > 0:01:03told that some UK citizens' data is affected. We're verifying the extent
0:01:03 > 0:01:08and amount of information. And when we have a sufficient as isment, we
0:01:08 > 0:01:13will publish the details of the impact on UK citizens and we plan to
0:01:13 > 0:01:19do this in a matter of days. This was, as far as we can tell, not a
0:01:19 > 0:01:25hack perpetrated in the UK. Our role is therefore to understand how UK
0:01:25 > 0:01:30citizens are affected. We're working with the Information Commissioner's
0:01:30 > 0:01:34office, the national cybersecurity centre and they are talking to the
0:01:34 > 0:01:38US Federal Trade Commission and others to get to the bottom of this.
0:01:38 > 0:01:43At this stage, our initial assessment is that for Uber
0:01:43 > 0:01:46customers, the stolen information is not the sort of information that
0:01:46 > 0:01:51would allow direct financial crime but we are working urgently to
0:01:51 > 0:01:55verify this further and we rule nothing out. Our advice to Uber
0:01:55 > 0:02:01drivers and customers is to be vigilant, to monitor accounts,
0:02:01 > 0:02:05especially for phishing activities. If you think you're a victim,
0:02:05 > 0:02:13contact the Action Fraud helpline and follow the NCSC guidance on
0:02:13 > 0:02:21passwords and best practise. The new data protection bill are introducing
0:02:21 > 0:02:26a package of tougher measures to deal with data breaches. Delayed
0:02:26 > 0:02:31reporting is an aggravating factor already but under the new bill
0:02:31 > 0:02:34organisations had have to report to the Information Commissioner within
0:02:34 > 0:02:3872 hours of becoming aware of breaches. And in serious cases will
0:02:38 > 0:02:42have to notify those affected by the breach. The commissioner will have
0:02:42 > 0:02:48increased powers to respond in the way she considers appropriate like
0:02:48 > 0:02:53with fines up to £18 million or 4% of global turnover. We are making
0:02:53 > 0:02:56further assessments as we debate this and we will keep the public and
0:02:56 > 0:03:04the House updated.Thank you. Thank you to the minister for that reply.
0:03:04 > 0:03:08Did I hear even after the Government has learnt about this data breach
0:03:08 > 0:03:12the Government is still not in a position to tell the public how many
0:03:12 > 0:03:17customers and drivers in the UK have had their personal data compromised
0:03:17 > 0:03:24if so, that's outrageous on Uber's part. They paid hackers 100,000
0:03:24 > 0:03:30dollars to delight the data and keep it quiet. What assurances do we have
0:03:30 > 0:03:35that infor more mace isn't in the hands of criminals today. UK
0:03:35 > 0:03:38authorities have acted swiftly since this came to light. Will the
0:03:38 > 0:03:47Government push for the toughest penalties to punish Uber? Under EU
0:03:47 > 0:03:53law, Uber could face fines of 20 million Euros or 4% of their annual
0:03:53 > 0:04:00global turnover, which ever is greater. The maximum fine from the
0:04:00 > 0:04:05the FCS a £500,000. In any case, in this particular case, does he really
0:04:05 > 0:04:09think that a fine will cut it? Does the minister think that a company
0:04:09 > 0:04:14that covers up the theft of data and pay as ransom to criminal hackers
0:04:14 > 0:04:19could possibly be considered a fit and proper operator of licensed mini
0:04:19 > 0:04:23cabs in our towns and cities? If not, what is the Government going to
0:04:23 > 0:04:32Bo it? Whence TfL finally took action over Uber's abysmal safety
0:04:32 > 0:04:36record, there were leaflets handed out attacking the mayor. This is not
0:04:36 > 0:04:43a good look for the Government today and will he revisit that? I'm
0:04:43 > 0:04:49pro-tech, pro-innovation. But given uber's stands of failing to handle
0:04:49 > 0:04:53appropriately serious allegations of rape and sexual assault. Given uber
0:04:53 > 0:04:59has had to be dragged through the court to give drivers employment
0:04:59 > 0:05:05rights and pay their fair share of VAT and they play fast and loose
0:05:05 > 0:05:10with data of customers and drivers, isn't it time the Government stop
0:05:10 > 0:05:15cosying up to this grubby and unethical company and stood up for
0:05:15 > 0:05:23the public interest?Thank you. The question of licensing taxi companies
0:05:23 > 0:05:29and private hire companies is for local authorities. This is a data
0:05:29 > 0:05:34protection issue which we're dealing with with the utmost urgency. He
0:05:34 > 0:05:39raise the issue of fines. We are legislating currently for the higher
0:05:39 > 0:05:44fines I mentioned in my initial response. That legislation will come
0:05:44 > 0:05:51to this House after Christmas. In terms of ensuring people who think
0:05:51 > 0:05:56they have a data breach of the data they hold on behalf of customers or
0:05:56 > 0:06:00others, they already have a responsibility to pro fact that
0:06:00 > 0:06:06data. In future, they'll have a responsibility to notify the
0:06:06 > 0:06:12authorities immediately, within 72 hours. Delaying notification is not
0:06:12 > 0:06:16acceptable unless there's a very good reason for it and is an
0:06:16 > 0:06:21aggravating factor in how the Information Commissioner looks into
0:06:21 > 0:06:37this sort of case.
0:06:37 > 0:06:42The knowledge he has learned from this data breach, will he make any
0:06:42 > 0:06:45further amendments to the legislation he brought before the
0:06:45 > 0:06:50Lords and that will come back to us in due course to strengthen the
0:06:50 > 0:06:55powers to make sure that companies report such breaches at an early
0:06:55 > 0:06:59stage and take further safeguards to safeguard the personal data of
0:06:59 > 0:07:05customers?There is no doubt we can debate that as the legislation comes
0:07:05 > 0:07:11through this House. As it happens on our initial assessment, the two
0:07:11 > 0:07:16areas that are most concerning in terms of the delayed in notification
0:07:16 > 0:07:22and that they need to have recourse and fines, not just to punish bad
0:07:22 > 0:07:26behaviour but to incentivise good behaviour. Those are already covered
0:07:26 > 0:07:30by the data protection Bill as it is drafted in front of the Other Place.
0:07:30 > 0:07:35We will have a full assessment of the information in due course and
0:07:35 > 0:07:42can have more confidence in that assessment, then we can have this
0:07:42 > 0:07:49debate when the legislation is in front of us.When transport for
0:07:49 > 0:07:57London said they would not at -- give the license again to Uber, Uber
0:07:57 > 0:08:05e-mailed the customers to protest about this decision. If it can
0:08:05 > 0:08:09e-mail the customers then, should they do so now and begin that
0:08:09 > 0:08:13communication with an apology. Can you give us any rough idea, I know
0:08:13 > 0:08:19he was looking at precise figures, how many customers and drivers in
0:08:19 > 0:08:25the UK had the personal information compromised by this hack? What type
0:08:25 > 0:08:28of data was compromised? What contacted the Uber have with the
0:08:28 > 0:08:33Government for the first time over this issue and when exactly did that
0:08:33 > 0:08:38happen? When did the Minister personally become aware of this
0:08:38 > 0:08:46security breach? And in his view and the view of the Government, has Uber
0:08:46 > 0:08:53broken current UK law in relation to this page? Will he of the Secretary
0:08:53 > 0:08:56of State Colin to the Department or on the weekend if necessary, to
0:08:56 > 0:09:01explain themselves and give more information about the breach? Given
0:09:01 > 0:09:05the magnitude of this breach, has the Minister satisfied himself about
0:09:05 > 0:09:10the facts about this case? Particularly given that if
0:09:10 > 0:09:13regulation requires strengthening and we can do it in the Other Place
0:09:13 > 0:09:20under the data protection Bill right now? Can he confirm that this bike,
0:09:20 > 0:09:23I think he said in a statement he learned about this on Tuesday,
0:09:23 > 0:09:28despite learning about this on Tuesday, just yesterday in the House
0:09:28 > 0:09:35of Lords, the Government blocked the ability of consumer groups like
0:09:35 > 0:09:42Which to get compensation for the victims of data breach. Will he
0:09:42 > 0:09:45commit now to reverse that position when that amendment comes before the
0:09:45 > 0:09:50House at the report stage in the House of Lords to show that we are
0:09:50 > 0:09:54on the side of consumers and employers, not huge corporations who
0:09:54 > 0:10:03are careless with our data?He asked a number of questions. In terms of
0:10:03 > 0:10:07the number, we do not have sufficient confidence in the number
0:10:07 > 0:10:14we have been told by Uber to be able to go public on it. We are working
0:10:14 > 0:10:19with the National Cyber Security Centre and the ICA to have more
0:10:19 > 0:10:23confidence in that figure. He will know from the Echo fax breach, the
0:10:23 > 0:10:28initial figure that suggested went up. We want to make sure they get to
0:10:28 > 0:10:39the bottom of it. -- Uber -- Equifax. I am willing to come to the
0:10:39 > 0:10:43House next week to take further questions. When did I personally
0:10:43 > 0:10:50know about it? I knew about it when I was alerted by the media. The UK
0:10:50 > 0:10:55authorities, whether the Government, I see all of the National Cyber
0:10:55 > 0:10:59Security Centre this, the first notification was through the media.
0:10:59 > 0:11:04He asked whether this was illegal under current UK law, that is a
0:11:04 > 0:11:11matter for the courts but there is a high chance that it is. He asked
0:11:11 > 0:11:21about the question of acting in order to take up an action because
0:11:21 > 0:11:26of the data breach on a data subject. I am in favour of people
0:11:26 > 0:11:30being able to take action when a data breach has happened and we are
0:11:30 > 0:11:35legislating for it. The question debated yesterday in the Other Place
0:11:35 > 0:11:40was whether people should have to give their consent to be acted on
0:11:40 > 0:11:43their behalf. The principle behind the data protection Bill is to
0:11:43 > 0:11:50increase the amount of consent that people have and that is required,
0:11:50 > 0:11:54and to increase people's control over their own data. This pushes
0:11:54 > 0:12:00them in the opposite direction. That is a reason for why we rejected it
0:12:00 > 0:12:07yesterday but we will have a debate in this House.I to press on to the
0:12:07 > 0:12:13next business at 11pm so people should pose single sentence, short
0:12:13 > 0:12:17questions that will be addressed with the characters ballistic Serhiy
0:12:17 > 0:12:19Smelyk mass of the Minister.
0:12:24 > 0:12:33This is concerning not just for London users but people in the south
0:12:33 > 0:12:39what will the Government do when companies lose data but also seek to
0:12:39 > 0:12:43hide from the responsibilities?Not only will we use the full force of
0:12:43 > 0:12:46the existing law but we are strengthening the law to give people
0:12:46 > 0:12:54more power and control over their data.People across the UK will be
0:12:54 > 0:13:03shocked that Uber failed to give notification to the information
0:13:03 > 0:13:08Commissioner, the Government and the cyber Security Centre, could this
0:13:08 > 0:13:13stimulate the growth of cyber crime? What measures will the Minister have
0:13:13 > 0:13:17to hold Uber to account and if there are people in Scotland affected,
0:13:17 > 0:13:22will they work with the Scottish Government and share information?Of
0:13:22 > 0:13:29course I will and we rule nothing out.There are going to be lots of
0:13:29 > 0:13:33very worried people who have got Uber accounts. Please can we have
0:13:33 > 0:13:38some reassurance from the Minister that Uber will be held to account
0:13:38 > 0:13:40and that we have the right legislation and structure in place
0:13:40 > 0:13:45to stop this kind of thing happening?I want to give
0:13:45 > 0:13:50reassurance that at this stage the initial assessment is that for Uber
0:13:50 > 0:13:53customers the stolen information is not the sort of information that
0:13:53 > 0:13:58would allow direct financial crime. People need to make sure they do not
0:13:58 > 0:14:03respond to a fishing e-mail and to follow the NCSC guidelines.
0:14:03 > 0:14:09Scandalous disregard by Uber over the rights of people entrusted with
0:14:09 > 0:14:13data shows we need greater protection. In the budget yesterday
0:14:13 > 0:14:19there was a sense about data ethics. Can the Minister sure some light to
0:14:19 > 0:14:23make sure we actually can deal with these companies in the way that your
0:14:23 > 0:14:29friend suggested?The information Commissioner is the regulator. We
0:14:29 > 0:14:35fingered as a broader question to ensure that the modern use data --
0:14:35 > 0:14:44we think that as a broader question. Is my honourable friend intending to
0:14:44 > 0:14:47have discussions with his international counterparts given the
0:14:47 > 0:14:53international cross-border nature of the problem?We have already had
0:14:53 > 0:14:58discussions with the US Federal Trade Commission. And also with the
0:14:58 > 0:15:01Dutch authorities because the European headquarters of Uber is in
0:15:01 > 0:15:06Holland and the other pertinent to the matter.The Minister has
0:15:06 > 0:15:08mentioned the forthcoming data protection regulations but that is
0:15:08 > 0:15:13no requirement for a private company to report a data breach even though
0:15:13 > 0:15:16it is recommended. What will the Government do to ensure companies
0:15:16 > 0:15:21between now and the data protection regulations to make sure people are
0:15:21 > 0:15:25unaware that data is stolen?The new data protection rules will come into
0:15:25 > 0:15:29force on the 25th of May and it is important we get the Bill through
0:15:29 > 0:15:34before then. She's not quite right in the premise of the question. It
0:15:34 > 0:15:38is already an aggravating factor that a breach is not reported
0:15:38 > 0:15:48promptly.Companies which are not just relying on data but didn't buy
0:15:48 > 0:15:51data and are indeed market disrupters will increasingly play an
0:15:51 > 0:15:57important part in the UK economy, what steps at his department taking
0:15:57 > 0:16:02to ensure confidence of the British public in such data driven market
0:16:02 > 0:16:06disrupters?The single best thing that anybody in this House can do to
0:16:06 > 0:16:09improve our ability to respond to this sort of thing is bought for the
0:16:09 > 0:16:16data protection Bill when it comes into this House.How will the
0:16:16 > 0:16:21Minister enabled big business to grasp the responsibility for private
0:16:21 > 0:16:24detailed, confidential and significant personal data. They need
0:16:24 > 0:16:27to protect it like to be a very own and that the present they simply do
0:16:27 > 0:16:31not do that.There is lots of sense and what the honourable gentleman
0:16:31 > 0:16:38says. The action that we are taking is that everything we can do to keep
0:16:38 > 0:16:42people's data safe in response to this incident but Bob Bodley
0:16:42 > 0:16:44strengthening the rules will give people more