Uber fined £900k over data breach
Written by Hannah McGrath
Uber has been fined more than £900,000 by UK and Dutch regulators for failures relating to a 2016 cyberattack which left millions of customers’ personal data exposed.
The Information Commissioner’s Office (ICO) slapped the ride hailing giant with a fine for £385,000 on top of a 600,000 Euro fine from the Dutch Data Protection Authority (DPA) for the breach, which compromised names, mobile phone numbers and email addresses of more than 57 million users worldwide.
More than 2.7 million user accounts in the UK - making it a majority of Uber’s users - were left exposed by the attack.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” Steve Eckersley, the ICO’s director of investigations said in a statement.
“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support; that left them vulnerable,” he added.
The ICO’s ruling also said the records of nearly 82,000 Uber drivers in the UK, including journey details and charges, were also stolen during the hacking incident, which occurred between October and November 2016.
The date of the attack - a year before new GDPR legislation came into force - means the ICO could only levy penalties under the Data Protection Action, which carries a maximum fine of £500,000.
Had the breach occurred after GDPR legislation was introduced in May 2018, the ICO could have fined Uber up to an estimated £17 million, or four per cent of the company’s global annual turnover.
The ICO said hackers used "credential stuffing", in which username and password pairs are entered into websites until they match an existing account to access to Uber's data storage.
The data watchdog found that Uber had discovered the breach and paid the attackers without informing affected customers who could have been put at higher risk of fraud.
The attack targeted 174,000 people in the Netherlands and the DPA said it was fining Uber for failing to report the incident within 72 hours after it was discovered.
Eckersley said: "This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen. Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.
"Although there was no legal duty to report data breaches under the old legislation, Uber's poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected,” he added.
National Technology News has contacted Uber for comment.