Data protection regulator the Information Commissioner’s Office has said that it has “huge concerns” relating to Uber’s cover-up of a massive data breach that came to light this week.

Uber admitted on Tuesday that it had failed to disclose a cyberattack that exposed the data of some 57 million combined drivers and passengers – and paid hackers to not release the stolen data.

In a statement posted online, Uber chief executive Dara Khosrowshahi said that an October 2016 attack encompassed personal information like names and phone numbers of Uber users worldwide.

In a blog post, he said two unnamed people outside the company had “inappropriately accessed user data stored on a third-party cloud-based service”, without breaching Uber’s internal systems.

“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” he added.

The data stolen included the names and licence numbers of around 600,000 drivers in the US and unidentified “personal information” on 57 million drivers and users around the world, including the drivers described above including names, email addresses and mobile phone numbers.

“We took immediate steps to secure the data and shut down further unauthorised access by the individuals,” Mr Khosrowshahi said.

Uber controversies Show all 4 1 /4 Uber controversies Uber controversies June 2017 Travis Kalanick resigned from his position as CEO of Uber in July of this year, after a tumultous period for the company. A sexist workplace culture was exposed by a damning internal report, leading to heightened pressure on the CEO and consequently to him taking a leave of absence in June. A week later he was forced to resign after losing the confidence of the board of investors AFP/Getty Uber controversies June 2017 Indian police escort Uber taxi driver and convicted rapist Shiv Kumar Yadav following his court appearance in New Delhi on 8 December, 2014. An Uber executive, Eric Alexander, was fired in June of this year after reportedly obtaining the records of the rapist's victim, with the intent to cast doubt on her account of the incident. She later sued the company for defamation and violating her privacy rights Chandan Khanna/AFP Uber controversies May 2017 The company were ordered to pay up to $45 million dollars back to New York based drivers, after taking too much in commission over a two and a half year period. “We made a mistake and we are committed to making it right by paying every driver every penny they are owed, plus interest, as quickly as possible,” said Rachel Holt, Uber’s regional general manager in the US and Canada, to the Wall Street Journal Getty Uber controversies December 2016 Uber's self-driving cars were ordered to be removed from the roads by a Californian car regulator, after being spotted skipping traffic lights. Uber insist that the incidents were "human error" rather than a design flaw. The New York Times later refuted this in an article claiming the autonomous technology had in fact failed Youtube/KTVU

“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

Those responsible were reportedly pressured to sign non-disclosure agreements so news of the breach did not get out.

The New York Times alleged that company executives had then dressed up the breach as a “bug bounty”, the practice of paying hackers to test the strength of software security.

Affected accounts have been flagged for additional fraud protection, Mr Khosrowshahi said.

“None of this should have happened, and I will not make excuses for it,” he wrote.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

On Wednesday, the Information Commissioner’s Office said that Uber’s admission over the hack “raises huge concerns around its data protection policies and ethics”.

“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers,” said deputy commissioner James Dipple-Johnstone.

Uber ordered to treat drivers as workers with employment rights after losing appeal

“If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.”

He said that the ICO would be working with the National Cyber Security Centre (NCSC) and other relevant British and international authorities to determine the scale of the breach, and the extent to which it has affected people in the UK.

Mr Dipple-Johnstone said that the ICO and other agencies would also determine what steps need to be taken by Uber to ensure it fully complies with its data protection obligations.

“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” he added.

A spokesperson for the NCSC, an arm of GCHQ, said companies must report any cyber attacks “immediately”.

“The more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim,” he added.

“We are working closely with other agencies including the NCA and ICO to investigate how this breach has affected people in the UK and advise on appropriate mitigation measures.

“Based on current information, we have not seen evidence that financial details have been compromised.”

Credit monitoring company Equifax says a breach exposed social security numbers and other data (Mike Stewart/AP)

Concerns about corporate cybersecurity have intensified in the wake of high-profile hacks targeting companies like Yahoo — which disclosed this year that all three billion of its email users’ accounts were hacked in 2013 — and credit reporting agency Equifax, whose former CEO was grilled before Congress about security weaknesses that facilitated the attack.

According to Bloomberg, the Uber hack cost Chief Security Officer Joe Sullivan and an associate their jobs because they sought to keep it quiet.

Alex Neill, managing director of home products and services at consumer’s association Which?, said that data breaches are becoming increasingly common and the protections for consumers are lagging behind.

“The UK Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of affected customers when a company has failed to take sufficient action following a data breach,” she said.

The EU-wide General Data Protection Regulation (GDPR) will punish companies attempting to conceal breaches after it comes into force in May.

The law, which the UK will remain part of after Brexit, will impose fines of up to €20m (£18m) or 4 per cent of the company’s global annual turnover – whichever is higher.

Proponents say it will harmonise national laws and “protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy”.

It comes amid warnings over record levels of cyber crime, which are expected to continue rising as the techniques and programmes used become more easily obtained and operated.