The Information Commissioner's Office (ICO) has issued a fine of £385,000 to ride-hailing service Uber for failing to safeguard personal information of around 2.7 million UK customers, including 82,000 drivers.
Between October and November 2016, a couple of malicious individuals accessed login credentials for one of Uber's Amazon Web Services servers from coding site GitHub. Using those credentials, they were able to access a huge database that contained personal information of thousands of registered Uber drivers as well as 57 million customers, both from the United States as well as from Europe.
In order to hide the said breach, Uber paid a $100,000 ransom to the two individuals and chose to brush the incident under the carpet. However, in November 2017, the company's new CEO Dara Khosrowshahi decided to come clean and announced the scale of the breach that took place a year ago and how Uber's top executives conspired to keep the breach hidden from the public.
Following Khosrowshahi's announcement, the ICO launched an investigation into the breach along with the National Cyber Security Centre and stated that since Uber deliberately concealed the breach from regulators and citizens, it could attract higher fines.
Uber fined under pre-GDPR Data Protection Act
According to the ICO, the Uber data breach compromised personal information such as names, email addresses, and phone numbers of around 2.7 million UK customers, including 82,000 drivers. It added that Uber paid the attackers responsible $100,000 to destroy the data they had downloaded, did not inform customers about the incident.
Since the breach occurred between October and November 2016, the ICO thus issued a fine of £385,000 to Uber under the Data Protection Act, 1998 which allowed authorities to issue a maximum fine of £500,000 for data protection offences.
"This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.
"Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.
"Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected," said Steve Eckersley, Director of Investigations at the ICO.
"This fine shows that even the most prominent public organisations need to pay more attention to data security policies and put in place appropriate measures to keep personal data safe. Many companies continue to display poor stewardship over the personal details belonging to customers, employees, and other parties. Unless organisations begin to respect the importance of protecting customer data, we will continue to see more big-name companies making costly mistakes that harm countless individuals," said Rich Campagna, CMO at Bitglass.
Fines issued by the U.S. and the Netherlands
Autoriteit Persoonsgegevens, the Dutch data protection authority, has also issued a fine of €600,000 to Uber for failing to protect personal information of 174,000 Dutch citizens that were compromised as a result of the 2016 data breach. The fine was issued under the country's pre-GDPR law to Uber as " it did not report the data breach to the Dutch DPA and the data subjects within 72 hours after the discovery of the breach".
In the United States, Uber was asked to pay a fine of $148 million (£116.5 million) in September this year for failing to notify as many as 600,000 drivers that their personal information had been compromised following the 2016 data breach. The settlement amount will be divided between the fifty U.S. states, based on the number of people affected in each state.
"Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data," said California Attorney General Xavier Becerra.
“We wholeheartedly support innovative business models, but new ways of engaging in business cannot come at the expense of public safety or consumer privacy. This settlement today demonstrates what happens when all of us in law enforcement work together. My office will continue to collaborate closely with the Attorney General to protect consumers both in San Francisco, and the rest of California," said San Francisco District Attorney George Gascón.