British and Dutch authorities have fined Uber for a total of nearly $1.2m on Tuesday over a data breach incident that occurred in 2016.
The Information Commissioner’s Office (ICO) from UK imposed a £385,000 fine (close to $500,000) on Uber for “failing to protect customers’ personal information during a cyber attack”. The said attack happened in November 2016. Additionally, the Dutch Data Protection Authority imposed their own €600,000 (close to $680,000) fine over the same incident for not reporting the data breach to the Dutch DPA within 72 hours after the discovery of the breach. For the same data breach, the US government has fined Uber $148m.
Attackers obtained login credentials to access Uber’s servers and downloaded files in November 2016. These files contained records of users worldwide including passengers’ full names, phone numbers, and email addresses. Personal details of around 2.7million UK customers and 174,000 Dutch citizens were downloaded from Uber cloud servers by hackers in this breach.
Steve Eckersley, the Director of Investigations at ICO, said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
As the attack occurred in 2016, it was not subject to the EU’s GDPR that came into effect May 2018. The GDPR rules could have increased the fines for Uber.
The affected customers and drivers were not told about the incident and Uber started monitoring the accounts for fraud only after an year. The attackers then demanded $100,000 to destroy the data they took which Uber paid as “bug bounty”. This is unlike a legitimate bug bounty program which is a common practice in tech industries. The attackers had malicious intent hence they downloaded the data as opposed to just pointing out the breach.
Eckersley further added: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.”
In a statement, Uber representatives said “We’re pleased to close this chapter on the data incident from 2016. We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. We learn from our mistakes and continue our commitment to earn the trust of our users every day.”