Uber has revealed that 2.7 million people in the UK – more than half of its user base in the country – were affected by the massive 2016 data breach that the company covered up for more than a year. The hack, which affected a total of 57 million users and drivers across the globe, only came to light last week after Bloomberg reported Uber paid hackers a ransom of $100,000 (£75,500) to delete the stolen data and keep the breach quiet.
Data compromised in the breach included users' names, email addresses and mobile numbers as well as US drivers' license numbers. However, trip history, dates of birth, social security numbers, credit card and bank details were not affected in the breach, the ride-hailing giant said.
"We have seen no evidence of fraud or misuse tied to the incident," Uber said. "We are monitoring the affected accounts and have flagged them for additional fraud protection."
Uber also said the 2.7 million figure is an "approximation rather than an accurate and definitive count" because it cannot always tell where each customer was located.
The UK's data regulator, the Information Commissioner's Office (ICO), said it expects Uber to notify all affected British customers and drivers as soon as possible.
"As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised," Deputy Commissioner James Dipple-Johnstone said in a statement.
The revelation also comes as Uber battles to overturn a decision by London's transport regulator in September to revoke its operating license. The Transport of London cited concerns over Uber's reporting of criminal offences, background checks and the use of its secret Greyball software in London, among other issues.
London Mayor Sadiq Khan described the revelation as "shocking" and called on Uber to notify UK users immediately.
"This latest shocking development about Uber will alarm millions of Londoners whose personal data could have been stolen by criminals," Khan said. "Uber needs to urgently confirm which of their customers are affected, what is being done to ensure these customers don't suffer adversely, and what action is being taken to prevent this happening again in the future.
"The public will want to know how there could be this catastrophic breach of personal data security."
The latest blow comes after months of controversies for Uber, from allegations of sexism and harassment to its lawsuit with Google's Waymo and an exodus of top executives, including its founder Travis Kalanick. The company also continues to face regulatory battles in multiple US states and countries across the globe.
Uber is facing intense political scrutiny stateside over its handling of the breach and has been hit with several lawsuits regarding the incident.
"None of this should have happened," Uber CEO Dara Khosrowshahi said after news of the data breach broke last week. "And I will not make excuses for it."