UK and Netherlands fine Uber over huge data breach

Customers had personal details accessed by hackers

he UK and the Netherlands represented a small fraction of a broader data breach that affected some 57million Uber passengers.

British and Dutch data protection regulators have fined Uber over a vast data breach that compromised information about customers and drivers after US states earlier this year levied a record fine.

Britain’s Information Commissioner’s Office said on Tuesday it would fine Uber £385,000 (€435,000 )for “failing to protect customers’ personal information during a cyber attack.”

“A series of avoidable data security flaws allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company,” the ICO said, adding that the data included full names, email addresses and phone numbers.


Records of almost 82,000 drivers in the UK, including journey details and how much they were paid, were also taken during the breach that occurred in October and November 2016, according to the ICO.


Meanwhile, the Dutch Data Protection Authority hit Uber with a fine of €600,000 (£532,000) for “violating the Dutch data breach regulation”. “The Uber concern is fined because it did not report the data breach to the Dutch DPA and the data subjects within 72 hours after the discovery of the breach,” it said.

The UK and the Netherlands represented a small fraction of a broader data breach that affected some 57million passengers. Uber realised that it had been hacked in December 2016 but, instead of notifying regulators or the people affected, it paid $100,000 to the hackers to destroy the stolen information, the company said last November.

Uber agreed in September to pay a record $148m to settle claims with all 50 US states and the District of Columbia over the data breach. As part of the agreement, it was also required to “adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behaviour, and hire an independent third party to assess its data security practices.”


ICO Director of Investigations Steve Eckersley said: This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.

Uber said on Tuesday it had made “a number of technical improvements to the security of [ITS]systems both in the immediate wake of the incident as well as in the years since.”

“We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward,” a spokesperson said. “We learn from our mistakes and continue our commitment to earn the trust of our users every day.” - Copyright The Financial Times Limited 2018