Ride-hailing app Uber is facing more controversy after it admitted to concealing a data breach of the details of 57m customers, leading the UK's data protection authority to express its "huge concerns" around "policies and ethics" at the US company.
The US tech firm said this week that it had dismissed its chief security officer and another employee for concealing the hack from other executives.
A $100,000 payment was made to the hackers for the deletion of the files, which included names, e-mail addresses and phone numbers of customers and drivers.
"While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection," Uber's chief executive Dara Khosrowshahi said.
Former CEO Travis Kalanick stepped down from the company after a series of PR disasters, including several allegations of sexual harassment from executives within the company.
"None of this should have happened, and I will not make excuses for it," Khosrowshahi added. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
Companies are generally required to disclose data breaches this size to regulators, which Uber failed to do in this case.
James Dipple-Johnstone, deputy commissioner at the UK Information Commissioner's Office, said: "Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.
"It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed."
The data regulator will work with the UK's National Cyber Security Centre and other relevant authorities at home and overseas to determine the scale of the breach, said Dipple-Johnstone, as well as how it has affected people in the UK and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.
"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies."