View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 27, 2018updated 28 Nov 2018 12:51am

UK and Dutch Data Regulators Fine Uber Over £900,000 for 2016 Hack

"There is no doubt that this fine would be higher if it had been post GDPR”

By CBR Staff Writer

Uber the ride-hailing application enterprise has been fined over £900,000 by data regulation authorities in the UK and the Netherlands.

The Information Commissioner’s Office (ICO) has fined Uber £385,000 for what it calls  a “series of avoidable data security flaws” that allowed hackers to obtained the personal data of 2.7 million people in the UK.

The fine stems from a data breach Uber suffered in 2016 which saw the data of 57 million people across the world exposed.

It was then discovered that Uber had paid the hackers to delete the compromised data, in the hope that the issue would be forgotten. Critically Uber failed to inform customers at the immediate time of the breach that their data had been stolen and was in the hands of threat actors.

Uber Fined by ICO

ICO Director of Investigations Steve Eckersley commented in a released statement that: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyberattack.”

“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The Dutch data regulation authority has also hit the company with a hefty fine of £532,000. Over 174,000 Dutch citizens were affected by the data breach.

An Uber spokesperson commented to Computer Business Review that: “We’re pleased to close this chapter on the data incident from 2016.”

“As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since. We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward.”

See Also: Magecart Skimmer Taints the Captured Credit Card Details of Competitors

Jake Moore cyber security expert at ESET UK commented in an emailed statement that: “Cyber criminals can do a lot of damage with a large breached list containing only names and emails so the ICO are determined to stamp out this type of activity – especially when it has been ruled ‘avoidable’.”

“Having hackers know a set of live emails and names means they can send phishing emails or even attempt to work out the customers’ passwords. An incredibly large amount of people still use predictable or simple passwords. Together with previous and even recent high profile breaches, many people’s passwords are also readily available on the dark web so it can sadly be made very simple for the cyber criminals.”

“There is no doubt that this fine would be higher if it had been post GDPR.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.