Disgruntled British customers have shared screenshots on Twitter of billing information in rubles for supposed trips in Moscow and St. Petersburg.
More than 800 customers in the US and Britain have complained to Uber that they were billed in rubles for rides in Russia's two biggest cities, The Timesreported on Thursday.
In addition, while the U.S. does not now have a federal law requiring companies to inform the public about data breaches, the vast majority of states have enacted breach notification statutes of their own - which are typically a lot stricter than a full year's time for disclosure.
It is not clear whether those who are complaining of being hijacked on Twitter were affected in that hack or in a separate attack.
Meanwhile, Anthony Glees, of the University of Buckingham, said: "Given the obvious level of organisation and the patterns of fraudulent use it seems reasonable to believe that Russian hackers obtained these users" data and have traded it on the dark web'. Users also said their phone numbers had been changed to Russian numbers.
Khosrowshahi discussed the hack in a recent blog post stating, "You may be asking why we are just talking about this now, a year later".
Has your Uber account been hacked?
In October of a year ago, hackers breached Uber's system and were able to access the names, phone numbers and email addresses of millions of users.
Drivers who had their license numbers exposed are being individually notified, with Uber providing them with free credit monitoring and identity theft protection. In a statement, an agency spokesman told Reuters, "We are aware of press reports describing a breach in late 2016 at Uber and Uber officials' actions after that breach".
'It is a worldwide incident and it is unclear at this stage which countries were affected by the hack.
He added that Uber "did not notify individuals in the UK, the UK Government or UK regulators" at the time the hack was discovered in October past year.
In a statement on Wednesday, Uber announced that they had previously discussed the data breach with SoftBank saying, "We informed SoftBank that we were investigating a data breach, consistent with our duty to disclose to a potential investor, even though our information at the time was preliminary and incomplete".
The tech company reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the incident did not become public. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts. The Information Commissioner's Office (ICO) has begun an investigation and said it had "huge concerns"...
So Uber is likely to have breached state laws by concealing the breach for so long.
Uber claims that outside forensic experts "have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded".
He wrote: 'At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals.
None of this should have happened, and I will not make excuses for it.