Urgent Question on Uber House of Commons

kind of education they need to

understand these attitudes are

unacceptable and we do that from an

early age.

THE SPEAKER:

Thank you. Urgent

question, Wes Streeting.

Thank you,

to ask the Secretary of State for

digital Culture, Media and Sport to

make a statement on Government

responsibilities and policies for

protecting British citizens

following the theft of the personal

data of 57 million Uber customers

and drivers.

THE SPEAKER:

The minister for

digital Matt Hancock.

Mr Speaker,

late on Tuesday, we were notified by

the media of a potentially

significant data breach of Uber

driver and customer data. Uber

failed to tell the UK authorities

before they spoke to the media. The

breach appeared dated back over a

year. Appears to have involved Uber

paying criminals money to try to

prevent further data loss. We are

told that some UK citizens' data is

affected. We're verifying the extent

and amount of information. And when

we have a sufficient as isment, we

will publish the details of the

impact on UK citizens and we plan to

do this in a matter of days. This

was, as far as we can tell, not a

hack perpetrated in the UK. Our role

is therefore to understand how UK

citizens are affected. We're working

with the Information Commissioner's

office, the national cybersecurity

centre and they are talking to the

US Federal Trade Commission and

others to get to the bottom of this.

At this stage, our initial

assessment is that for Uber

customers, the stolen information is

not the sort of information that

would allow direct financial crime

but we are working urgently to

verify this further and we rule

nothing out. Our advice to Uber

drivers and customers is to be

vigilant, to monitor accounts,

especially for phishing activities.

If you think you're a victim,

contact the Action Fraud helpline

and follow the NCSC guidance on

passwords and best practise. The new

data protection bill are introducing

a package of tougher measures to

deal with data breaches. Delayed

reporting is an aggravating factor

already but under the new bill

organisations had have to report to

the Information Commissioner within

72 hours of becoming aware of

breaches. And in serious cases will

have to notify those affected by the

breach. The commissioner will have

increased powers to respond in the

way she considers appropriate like

with fines up to £18 million or 4%

of global turnover. We are making

further assessments as we debate

this and we will keep the public and

the House updated.

Thank you. Thank

you to the minister for that reply.

Did I hear even after the Government

has learnt about this data breach

the Government is still not in a

position to tell the public how many

customers and drivers in the UK have

had their personal data compromised

if so, that's outrageous on Uber's

part. They paid hackers 100,000

dollars to delight the data and keep

it quiet. What assurances do we have

that infor more mace isn't in the

hands of criminals today. UK

authorities have acted swiftly since

this came to light. Will the

Government push for the toughest

penalties to punish Uber? Under EU

law, Uber could face fines of 20

million Euros or 4% of their annual

global turnover, which ever is

greater. The maximum fine from the

the FCS a £500,000. In any case, in

this particular case, does he really

think that a fine will cut it? Does

the minister think that a company

that covers up the theft of data and

pay as ransom to criminal hackers

could possibly be considered a fit

and proper operator of licensed mini

cabs in our towns and cities? If

not, what is the Government going to

Bo it? Whence TfL finally took

action over Uber's abysmal safety

record, there were leaflets handed

out attacking the mayor. This is not

a good look for the Government today

and will he revisit that? I'm

pro-tech, pro-innovation. But given

uber's stands of failing to handle

appropriately serious allegations of

rape and sexual assault. Given uber

has had to be dragged through the

court to give drivers employment

rights and pay their fair share of

VAT and they play fast and loose

with data of customers and drivers,

isn't it time the Government stop

cosying up to this grubby and

unethical company and stood up for

the public interest?

Thank you. The

question of licensing taxi companies

and private hire companies is for

local authorities. This is a data

protection issue which we're dealing

with with the utmost urgency. He

raise the issue of fines. We are

legislating currently for the higher

fines I mentioned in my initial

response. That legislation will come

to this House after Christmas. In

terms of ensuring people who think

they have a data breach of the data

they hold on behalf of customers or

others, they already have a

responsibility to pro fact that

data. In future, they'll have a

responsibility to notify the

authorities immediately, within 72

hours. Delaying notification is not

acceptable unless there's a very

good reason for it and is an

aggravating factor in how the

Information Commissioner looks into

this sort of case.

The knowledge he has learned from

this data breach, will he make any

further amendments to the

legislation he brought before the

Lords and that will come back to us

in due course to strengthen the

powers to make sure that companies

report such breaches at an early

stage and take further safeguards to

safeguard the personal data of

customers?

There is no doubt we can

debate that as the legislation comes

through this House. As it happens on

our initial assessment, the two

areas that are most concerning in

terms of the delayed in notification

and that they need to have recourse

and fines, not just to punish bad

behaviour but to incentivise good

behaviour. Those are already covered

by the data protection Bill as it is

drafted in front of the Other Place.

We will have a full assessment of

the information in due course and

can have more confidence in that

assessment, then we can have this

debate when the legislation is in

front of us.

When transport for

London said they would not at --

give the license again to Uber, Uber

e-mailed the customers to protest

about this decision. If it can

e-mail the customers then, should

they do so now and begin that

communication with an apology. Can

you give us any rough idea, I know

he was looking at precise figures,

how many customers and drivers in

the UK had the personal information

compromised by this hack? What type

of data was compromised? What

contacted the Uber have with the

Government for the first time over

this issue and when exactly did that

happen? When did the Minister

personally become aware of this

security breach? And in his view and

the view of the Government, has Uber

broken current UK law in relation to

this page? Will he of the Secretary

of State Colin to the Department or

on the weekend if necessary, to

explain themselves and give more

information about the breach? Given

the magnitude of this breach, has

the Minister satisfied himself about

the facts about this case?

Particularly given that if

regulation requires strengthening

and we can do it in the Other Place

under the data protection Bill right

now? Can he confirm that this bike,

I think he said in a statement he

learned about this on Tuesday,

despite learning about this on

Tuesday, just yesterday in the House

of Lords, the Government blocked the

ability of consumer groups like

Which to get compensation for the

victims of data breach. Will he

commit now to reverse that position

when that amendment comes before the

House at the report stage in the

House of Lords to show that we are

on the side of consumers and

employers, not huge corporations who

are careless with our data?

He asked

a number of questions. In terms of

the number, we do not have

sufficient confidence in the number

we have been told by Uber to be able

to go public on it. We are working

with the National Cyber Security

Centre and the ICA to have more

confidence in that figure. He will

know from the Echo fax breach, the

initial figure that suggested went

up. We want to make sure they get to

the bottom of it. -- Uber --

Equifax. I am willing to come to the

House next week to take further

questions. When did I personally

know about it? I knew about it when

I was alerted by the media. The UK

authorities, whether the Government,

I see all of the National Cyber

Security Centre this, the first

notification was through the media.

He asked whether this was illegal

under current UK law, that is a

matter for the courts but there is a

high chance that it is. He asked

about the question of acting in

order to take up an action because

of the data breach on a data

subject. I am in favour of people

being able to take action when a

data breach has happened and we are

legislating for it. The question

debated yesterday in the Other Place

was whether people should have to

give their consent to be acted on

their behalf. The principle behind

the data protection Bill is to

increase the amount of consent that

people have and that is required,

and to increase people's control

over their own data. This pushes

them in the opposite direction. That

is a reason for why we rejected it

yesterday but we will have a debate

in this House.

I to press on to the

next business at 11pm so people

should pose single sentence, short

questions that will be addressed

with the characters ballistic Serhiy

Smelyk mass of the Minister.

This is concerning not just for

London users but people in the south

what will the Government do when

companies lose data but also seek to

hide from the responsibilities?

Not

only will we use the full force of

the existing law but we are

strengthening the law to give people

more power and control over their

data.

People across the UK will be

shocked that Uber failed to give

notification to the information

Commissioner, the Government and the

cyber Security Centre, could this

stimulate the growth of cyber crime?

What measures will the Minister have

to hold Uber to account and if there

are people in Scotland affected,

will they work with the Scottish

Government and share information?

Of

course I will and we rule nothing

out.

There are going to be lots of

very worried people who have got

Uber accounts. Please can we have

some reassurance from the Minister

that Uber will be held to account

and that we have the right

legislation and structure in place

to stop this kind of thing

happening?

I want to give

reassurance that at this stage the

initial assessment is that for Uber

customers the stolen information is

not the sort of information that

would allow direct financial crime.

People need to make sure they do not

respond to a fishing e-mail and to

follow the NCSC guidelines.

Scandalous disregard by Uber over

the rights of people entrusted with

data shows we need greater

protection. In the budget yesterday

there was a sense about data ethics.

Can the Minister sure some light to

make sure we actually can deal with

these companies in the way that your

friend suggested?

The information

Commissioner is the regulator. We

fingered as a broader question to

ensure that the modern use data --

we think that as a broader question.

Is my honourable friend intending to

have discussions with his

international counterparts given the

international cross-border nature of

the problem?

We have already had

discussions with the US Federal

Trade Commission. And also with the

Dutch authorities because the

European headquarters of Uber is in

Holland and the other pertinent to

the matter.

The Minister has

mentioned the forthcoming data

protection regulations but that is

no requirement for a private company

to report a data breach even though

it is recommended. What will the

Government do to ensure companies

between now and the data protection

regulations to make sure people are

unaware that data is stolen?

The new

data protection rules will come into

force on the 25th of May and it is

important we get the Bill through

before then. She's not quite right

in the premise of the question. It

is already an aggravating factor

that a breach is not reported

promptly.

Companies which are not

just relying on data but didn't buy

data and are indeed market

disrupters will increasingly play an

important part in the UK economy,

what steps at his department taking

to ensure confidence of the British

public in such data driven market

disrupters?

The single best thing

that anybody in this House can do to

improve our ability to respond to

this sort of thing is bought for the

data protection Bill when it comes

into this House.

How will the

Minister enabled big business to

grasp the responsibility for private

detailed, confidential and

significant personal data. They need

to protect it like to be a very own

and that the present they simply do

not do that.

There is lots of sense

and what the honourable gentleman

says. The action that we are taking

is that everything we can do to keep

people's data safe in response to

this incident but Bob Bodley

strengthening the rules will give

people more