The United Kingdom’s Information Commissioner’s Office has fined Uber £385,000 ($491,284) for failing to protect customers’ personal data during a cyber-attack in 2016, and not reporting the breach in a timely manner. The taxi-aggregator was also slammed by the Dutch Data Protection Authority with a fine of €600,000 ($679,257) for the same reason.
The ICO stated the breach allowed hackers to illegally access personal data, including names, email addresses, and phone numbers of 2.7 million Uber customers in the U.K. and 174,000 in the Netherlands.
After hiding the incident for more than a year, Uber admitted last November that hackers did manage to steal personal data of 57 million customers and drivers worldwide. The company alleged that two hackers gained unauthorized access to information on Github and stole Uber’s credentials for a separate cloud-services provider where they were able to download driver and rider data.
It is reported that Uber paid hackers $100,000 to keep data breach a secret and failed to inform its customers and drivers about the incident. The compromised customer information included names, phone numbers, email addresses, and their location. And, the driver information included their weekly pay, trip summaries, and their car license details, according to the ICO statement.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” ICO Director of Investigations Steve Eckersley said. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber-attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected,” Eckersley added.
On November 28, 2017, the Washington State Attorney General Bob Ferguson filed a multimillion-dollar lawsuit against Uber, alleging that ride-sharing company violated the state’s revised data breach notification norm. Ferguson alleged that names and driver’s license numbers of at least 10,888 Uber drivers in Washington state were stolen without their being notified as state law requires.