Tuesday 27 November 2018 9:44 am

Uber fined by UK watchdog over data leak during 2016 cyber attack

Ride-hailing giant Uber has been fined £385,000 by the Information Commissioner's Office, for failing to protect its customers' personal information during a cyber attack in 2016.

The ICO said today that a series of "avoidable data security flaws" led to the leaking of information about 2.7m of its UK customers, including full names, email addresses and contact numbers.

The records of almost 82,000 drivers in the UK, including details of how much they were paid, were also taken as part of the attack in October and November two years ago.

Similarly, the Dutch Data Protection Authority has also imposed a fine on Uber today of €600,000 (£532,200). In total, the attack affected 57m Uber users and drivers worldwide.

Hackers gained access to Uber's cloud-based storage system using credential stuffing, a method which involves entering usernames and passwords repeatedly into websites until they are matched to an existing account.

The ICO said customers and drivers were not informed of the attack for more than a year, with Uber instead opting to pay off the hackers to destroy the data they had downloaded.

"This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen," said ICO director of investigations Steve Eckersley. 

"At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."

"Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack."

Though such an attack now could result in a fine of up to four per cent of Uber's global turnover under GDPR rules, the ICO is limited to retrospective penalties of up to £500,000.

Eckersley continued: "Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected."

The ICO took the decision to impose the full penalty under the old system on Facebook earlier this year, over its handling of the Cambridge Analytica scandal and subsequent data losses.

Uber said in response to the news: "We're pleased to close this chapter on the data incident from 2016.

"As we shared with European authorities during their investigations, we've made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since. We've also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward." 

"We learn from our mistakes and continue our commitment to earn the trust of our users every day."