Maltese MEP Alfred Sant asked the European Commission whether it has any information on the massive data breach on consumers by Uber and whether it plans to take formal action for the violation of EU legislation. Uber experienced a massive data breach in October 2016 that included the personal information of 57 million consumers and drivers across the globe, including EU citizens. According to recent news, instead of notifying the authorities or the individuals affected, Uber paid the hackers responsible for the original breach $100,000 to delete the data and cover up the breach in security.

Discovery of the U.S. company’s cover-up of the incident resulted in the firing of two employees responsible for its response to the hack. Dara Khosrowshahi, who replaced co-founder Travis Kalnick as CEO in August, said he had only recently learned of this massive data breach.

“What is the Commission’s view of practices which enable a company active in the digital and sharing economy to experience a data breach without informing clients or the relevant national authorities?” asked the Maltese MEP.

Sant said that in light of the EU legislation on measures applicable to the notification of personal data breaches as well as on privacy and electronic communications, Uber’s year long cover-up is highly questionable. This regulation specifies that when the breach of data can adversely affect the personal privacy of individuals, providers shall notify the individuals and this notification should be made no later than 24 hours after its detection.