The UK Information Commissioner’s Office (ICO) has issued a fine against Uber for £385,000 for failing to protect customers’ personal information during a cyber attack in 2016, that compromised the data of millions of customers and tens of thousands of drivers.
The ICO has reported that data security flaws allowed the personal details of about 2.7 million UK customers, including full names email addresses and phone numbers, to be accessed and downloaded by hackers from a cloud-based storage system operated by Uber’s parent company in the US. Records of almost 82,000 UK based drivers were also accessed during the incident, including details of journeys made and how much they were paid.
It was found that Uber paid the hackers $100,000 to destroy the data, and customers and drivers affected were not informed for more than one year following the incident.
Steve Eckersley, the ICO’s Director of Investigations has commented:
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.
“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
The Dutch Data Protection Authority has also issued a fine to Uber under its own pre-GDPR legislation.
Uber can consider themselves fortunate that the breach occurred prior to the implementation of the General Data Protection Legislation (GDPR) on 25 May 2018. The ICO’s investigation of this incident therefore took place under the Data Protection Act 1998 which allows for a maximum fine of £500,000. However, if the breach had taken place today in the post-GDPR world, the consequences may have been much more severe for Uber as fines may now be issued up to a maximum of €20 million or four percent of turnover (whichever is higher).