Brendan McDermid/Reuters
More than 10 British Uber users and a separate group of Uber
drivers have consulted law firm Leigh Day about possible lawsuits
against the ride-hailing firm over the massive data breach which
affected 57 million users globally.
Speaking to Business Insider hours before Uber revealed the breach had affected around 2.7 million UK users, Leigh Day partner Sean Humber said the firm had written letters to Uber on behalf of clients as a preliminary step.
The letters consisted of 26 questions probing whether Uber has evidence that customer data was accessed inappropriately; whether it paid ransoms to hackers and how much; and details of any other hacks.Â
Humber said the process was at an early stage, and that Leigh Day hadn't launched any formal claims.
"We are at the early stages here," he said. "We're just trying to find out more information in relation to the breach itself. We have clients who are customers, but also drivers, all in the UK."
Humber wouldn't disclose who the customers were, but said more than 10 had been in touch.
GMB, a workers' union that also represents some Uber drivers, separately announced it had asked Leigh Day to probe the hack on behalf of its members.
Uber revealed last week that it had covered up a massive hack in 2016, where hackers accessed email addresses, names, and phone numbers. Uber reportedly paid off hackers as part of the cover-up, and failed to notify customers and regulators around the world of the breach. Incoming chief executive Dara Khosrowshahi apologised for the mistake, and fired the firm's security chief, Joe Sullivan. According to the Wall Street Journal report, however, Khosrowshahi knew about the hack when he took the job in August.
Humber said a legal claim would depend on whether Uber responds to Leigh Day's letters, and what the company says. He wouldn't comment on how much Uber could stand to lose.
"If private, confidential information has been mishandled, that could be a breach of the Data Protection Act, and people would have a claim under the act," he said. "It could be the misuse of private information, or it could be breach of confidence.
"If people have suffered distress or loss as a result of that data breach, in principle they are entitled to compensation."
Part of Humber's job is digging further into what Uber has said publicly. When the ride-hailing firm first disclosed the breach, it cited "outside forensic experts" who said there was no evidence customer or driver data had been misused.
"Who are these outside experts?" said Humber. "Would [Uber] provide us with a copy of their reports? It's important to go beyond assurance. That's all we're asking for at this stage."
It isn't clear how successful any consumer suit against Uber in the UK might be. Uber has consistently stated that it doesn't believe financial information was accessed in the hack, meaning victims might find it difficult to prove harm. Even if lawyers did uncover evidence that victims' financial data was misused, it would be difficult to pin it on a hack that took place last year.
British lawsuits over data leaks are also still relatively rare in the UK, meaning there's little precedence for an Uber case. An ongoing High Court case brought by workers at the supermarket Morrisons is one of the first data leak class actions in the country. There are, however, at least two class-action lawsuits against Uber in the US, though both have been brought about by states rather than individuals â Washington and Chicago.
Uber declined to comment.
Humber's comments come after Matthew Hancock, the UK's digital minister, suggested that Uber had acted illegally by failing to notify regulators of the breach.