"We'll be working with the National Cyber Security Centre (NCSC) plus other relevant authorities in the United Kingdom and overseas to determine the scale of the breach, how it has affected people in the United Kingdom and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations", Dipple-Johnstone added.
A British law firm says the ride-hailing firm Uber could now face legal claims after a data breach that saw hackers steal the personal information of some 57 million people around the world. The company paid the hackers $100,000 to delete the data and keep the breach quiet. They have fired two employees this week "who led the response to this incident" which includes keeping the data breach undisclosed and paying money to the hackers.
"None of this should have happened, and I will not make excuses for it", Khosrowshahi said in the statement.
The first case, Alejandro Flores v. Raiser, which was filed Tuesday in federal court in Los Angeles, described Uber's conduct as "grossly negligent", and added that the company "departed from all reasonable standards of care".
In addition, while the U.S. does not now have a federal law requiring companies to inform the public about data breaches, the vast majority of states have enacted breach notification statutes of their own - which are typically a lot stricter than a full year's time for disclosure. This regulation specifies that when the breach of data can adversely affect the personal privacy of individuals, providers shall notify the individuals and this notification should be made no later than 24 hours after its detection.
Khosrowshahi, who joined the company in August, said: "You may be asking why we are just talking about this now, a year later". Khosrowshahi wrote in a blog post, "We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers".
"The scope of this breach is something the Uber board should have been briefed about and consulted on at the very least", said Cynthia Clark, an associate professor of management at Bentley University. The company was also sued for negligence over the breach by a customer seeking class-action status.
US Representative Frank Pallone called for a Congressional hearing.
Equifax executives have been hauled before congressional committees in Washington to explain why it took several weeks for the firm to notify consumers of the incident.
"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies", James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner's Office, said in a statement.
Uber became embroiled in controversy earlier this year after the company faced sexual harassment allegations, prompting an investigation by former Attorney General Eric Holder into the company's culture. With news of the breach, however, it appears Khosrowshahi will be stuck picking up the pieces left by his predecessor. One source familiar with the matter said SoftBank is planning to stick to its agreement to invest in Uber but may seek better terms. He has a rock-solid brand.