Uber may have broken UK law when it hushed up a major hack affecting 57 million customers and drivers worldwide.
The taxi-hailing company has told the Government how many UK citizens it thinks were affected by the breach, but ministers do not have enough confidence in the number to make it public.
A third-party server was infiltrated in late 2016 and a $100,000 (£75,500) ransom paid to hackers so they would delete the data and keep the security lapse quiet.
Regulators were not made aware of the breach, with British authorities only learning of it when they were notified by the media last week.
Culture minister Matt Hancock said delaying notification was "not acceptable" unless there was a good reason.
The Information Commissioner's Office has warned Uber it could face fines, saying the incident raised "huge concerns around its data protection policies and ethics".
In the House of Commons on Thursday, shadow culture minister Kevin Brennan asked Mr Hancock: "Has Uber broken current UK law in relation to this breach?"
Mr Hancock replied: "I think that of course would be a matter for the courts, but I think there's a very high chance that it is."
He said new legislation would introduce tougher measures for data breaches, meaning organisations would have to report them within 72 hours of becoming aware.
Information stolen in the breach included names, email addresses and mobile phone numbers, as well as the names and number plates of 600,000 drivers in the US.
Mr Hancock said UK authorities are continuing to investigate the scale of the hack and that a figure for how many people were hit will be released within days.
Mr Hancock told the Commons the initial assessment was that the stolen information did not leave Uber customers vulnerable to financial crime.
Answering an urgent question, Mr Hancock said: "In terms of the number, we do not have sufficient confidence in the number that we have been told by Uber to be able to go public on it.
"We are working with the National Cyber Security Centre and the ICO (Information Commissioner's Office) to have more confidence in that figure.
"He'll remember from the Equifax breach that the initial figure suggested went up, and we want to make sure we get to the bottom of it.
"But I will, we will, publish further details within days, and if required I'm very happy to come before the House next week to take further questions."
The tech company reportedly tracked down the hackers and pressured them to sign non-disclosure agreements so news of the incident did not become public.