Uber the ride-hailing application enterprise has been fined over £900,000 by data regulation authorities in the UK and the Netherlands.
The Information Commissioner’s Office (ICO) has fined Uber £385,000 for what it calls a “series of avoidable data security flaws” that allowed hackers to obtained the personal data of 2.7 million people in the UK.
The fine stems from a data breach Uber suffered in 2016 which saw the data of 57 million people across the world exposed.
It was then discovered that Uber had paid the hackers to delete the compromised data, in the hope that the issue would be forgotten. Critically Uber failed to inform customers at the immediate time of the breach that their data had been stolen and was in the hands of threat actors.
Uber Fined by ICO
ICO Director of Investigations Steve Eckersley commented in a released statement that: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyberattack.”
“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
The Dutch data regulation authority has also hit the company with a hefty fine of £532,000. Over 174,000 Dutch citizens were affected by the data breach.
An Uber spokesperson commented to Computer Business Review that: “We’re pleased to close this chapter on the data incident from 2016.”
“As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since. We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward.”
Jake Moore cyber security expert at ESET UK commented in an emailed statement that: “Cyber criminals can do a lot of damage with a large breached list containing only names and emails so the ICO are determined to stamp out this type of activity – especially when it has been ruled ‘avoidable’.”
“Having hackers know a set of live emails and names means they can send phishing emails or even attempt to work out the customers’ passwords. An incredibly large amount of people still use predictable or simple passwords. Together with previous and even recent high profile breaches, many people’s passwords are also readily available on the dark web so it can sadly be made very simple for the cyber criminals.”
“There is no doubt that this fine would be higher if it had been post GDPR.”