UK and US regulators are looking into Uber's late reporting of a data breach that involved the theft of personal information from 57 million user accounts and 600,000 US drivers.

The UK's Information Commissioner's Office (ICO) is working to determine the scale of the breach, who was affected, and what steps Uber needs to take to ensure it's complying with data protection rules.

In the US, New York Attorney General Eric Schneiderman has opened an investigation, his spokeswoman said on Wednesday. The US Federal Trade Commission is also looking into the matter, a commission spokesman said in an email.

Uber was breached in October 2016, and discovered the hack a month later. But management decided to keep it under wraps until the company's new CEO, Dara Khosrowshahi, learned of it recently.

So far, Uber hasn't given a geographic breakdown of who might have been affected. But Uber's decision to keep things quiet "raises huge concerns" about its data protection policies and ethics, according to James Dipple-Johnstone, ICO deputy commissioner. "If UK citizens were affected then we should have been notified," he said. "Deliberately concealing breaches from regulators and citizens could attract higher fines for companies."

The UK's National Cyber Security Centre also voiced concern. "Companies should always report any cyber attacks to the NCSC immediately," it said in a statement.

In the US, most states have laws that require companies to disclose a data breach when it affects local residents. However, according to The New York Times, Uber instead identified the hackers responsible and reportedly had them sign nondisclosure agreements to keep them quiet about the incident.

Uber also paid the hackers $100,000 to delete the stolen data, but made the payment look like a reward, or a bug bounty, for finding a security hole in the company's systems.

PC Magazine