The UK's data watchdog says it has "huge concerns" over Uber's secret payment of $100,000 to hackers who stole users' information.
The Information Commissioner's Office says the revelation that 57 million customers' and drivers' data was stolen by hackers and covered up by Uber raises questions about the company's ethics.
"Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics," said James Dipple-Johnstone, the deputy commissioner.
"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies."
Uber announced that it had got rid of its chief security officer as it confirmed his team had not informed victims but instead paid off hackers who breached the company's systems in October 2016.
Firms which operate in the UK can currently be fined up to £500,000 for failing to inform people if their data is stolen, which is an offence under the Data Protection Act.
Under the EU's general data protection regulations, which the UK is enshrining in domestic law before Brexit, companies could face fines of £17m or 4% of their global turnover, whichever is higher.
At the time the cover-up was revealed, the ride-hailing app's chief executive, Dara Khosrowshahi, said: "None of this should have happened, and I will not make excuses for it."
Mr Khosrowshahi, who joined the company in August, said: "You may be asking why we are just talking about this now, a year later.
"I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.
"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
Uber's former chief executive, Travis Kalanick, learned of the hack in 2016, according to Bloomberg – seven months before a shareholder revolt forced him to quit.
Uber has stated that it is in the process of notifying the relevant regulators, but has not issued further comment.