The UK Information Commissioner’s Office (ICO) and the Dutch Data Protection Authority (Dutch DPA) have fined Uber for a data breach that has already cost it US$148 million.
The ICO has imposed a £385,000 fine for “failing to protect customers’ personal information during a cyber attack”, while the Dutch DPA has leveraged a €600,000 penalty.
Uber revealed the 2016 attack in November 2017, with new CEO Dara Khosrowshahi saying senior members of staff had attempted to cover up the incident by paying $100,000 to the hackers to delete the information they had obtained.
More than 57 million passengers’ and drivers’ data was involved in the breach.
The ICO said the personal details of around 2.7 million customers and nearly 82,000 drivers in the UK were stolen in the incident, while the Dutch DPA claims 174,000 citizens were involved, but none of them were told about it until the media reported on the breach nearly a year later.
However, at the time, Uber was not legally obliged to disclose the incident. Under new GDPR rules, companies that experience a breach are required to report it to the appropriate authorities within 72 hours.
ICO director of investigations Steve Eckersley, said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”