The Information Commissioner's Office has said the fact that Uber concealed the data breach "raises huge concerns around its data protection policies and ethics".
ICO deputy commissioner James Dipple-Johnstone said: "If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed."
He added that the ICO be working with the National Cyber Security Centre and the National Crime Agency plus other relevant authorities in the UK and overseas to determine the scale of the breach, how it has affected people in the UK and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.
And Dipple-Johnstone warned: "Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”
Meanwhile Joe Hancock, cyber security lead at Mishcon de Reya believes that as Uber has known about this data breach for a year, the firm may fall foul of US breach notification laws.
He commented: “Uber encountered issues when it failed to report breaches in 2014. European companies should take heed from this example and the implementation of GDPR will also require notification of affected users for sensitive breaches. "
De Reya predicts that the lack of reporting by such a high-profile company is sure to drive further regulation. Many governments seem to be taking the view that businesses cannot be trusted on cyber and data protection issues, he reckons.
“Cyber security professionals should stand up to prevent companies from concealing these sorts of breaches in the future. There is the suggestion that some members of the security team at Uber may have been involved in a cover up. After the Equifax breach, which raised difficult questions for executives, there is no longer any doubt that cyber issues will cost senior directors their jobs and reputations if the wrong decisions are made.
“The mechanics of the hack are not sophisticated and restrictions around account access, such as requiring two factor authentication, may have prevented it. There is also little justification for such a large archive of user data to be left in situ. Attacks on cloud systems are now common and the cloud remains a blind spot for many companies that rely on it without necessarily understanding how to properly secure it,” he concluded.