Uber says the data breach it kept secret for over a year resulted in the personal data of approximately 2.7 million people in the UK being exposed.
The ride-hailing app – already under pressure in this country on employment rights and the future of its operating licence in London – said it could not be sure of the figure because of the way it collects data by country.
It revealed last week that the data of 57 million people worldwide was exposed by hackers in October 2016.
It later emerged the company had effectively paid off the persons responsible in the belief the information – which included names, addresses and mobile phone numbers – would be deleted and not used by the criminals.
Uber also confirmed it had got rid of its security chief who had presided over the incident.
In its update on Wednesday, the US-based firm again reiterated that it did not believe customers needed to take any action as it had not seen any evidence of the information being used.
Uber added: “Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers or dates of birth were downloaded.”
However, its statement failed to give any such assurances about the security of drivers’ data though it had earlier said there had been no fraudulent use of their details and they had been offered free credit monitoring as a precaution.
Uber’s chief executive said then: “None of this should have happened, and I will not make excuses for it.”
Dara Khosrowshahi, who took over from ousted co-founder Travis Kalanick in August, also pledged to launch an inquiry into why it had taken 13 months for the breach to be made public.
UK data officials have spoken of their concern and the incident could potentially land the company in more legal wrangles in the UK.
Firms operating here can currently be fined up to £500,000 for failing to inform people if their data is stolen, which is an offence under the Data Protection Act.
Stiffer penalties are on the way under EU law which the UK is enshrining in domestic law before Brexit.
Offenders could face fines of £17m or 4% of their global turnover under the legislation.
Responding to Uber’s update, James Dipple-Johnstone, of the UK Information Commissioner’s Office, said he would expect Uber to alert everyone affected “as soon as possible”.
The watchdog added it was still awaiting details from Uber on the type of personal data that was compromised.