Uber disclosed Friday that a data breach may have affected up to 50,000 of its drivers across several states.
The computer-database was accessed on May 13, 2014 and Uber found out four months later, the company said. Uber is now facing flack for waiting over five months to notify affected drivers.
“Uber takes seriously our responsibility to safeguard personal information, and we are sorry for any inconvenience this incident may cause,” Katherine Tassi, Uber’s managing counsel of data privacy, wrote in a statement on the company’s blog.
The app-based car service company says once it was aware of the breach, it changed access protocols for the database. Uber said the company is in the process of notifying drivers whose names and driver’s license numbers were exposed.
In California, where the company is based, companies who lose consumer names and other personal information, including driver’s license numbers, are mandated to tell those affected “in the most expedient time possible and without unreasonable delay,” the Wall Street Journal reported.
“Investors and consumers want timely, if not immediate, notification,” Jacob Olcott, a former congressional adviser on cybersecurity told the Wall Street Journal.
Uber said in the blog post that no misuse of the exposed information has been reported. The company said it will provide a free one-year membership to identity protection services for drivers whose personal information may have been compromised.
The breach follows a number of legal challenges that have rocked the on-demand taxi service app in the recent past.