ICO fines Uber £385,000 for failing to protect data of 2.7 million UK customers

The breach

In October 2016 a massive breach affecting 57 million Uber customers and drivers was discovered by the company, but instead of acknowledging the breach Uber paid £75000 to the hackers in exchange for deleting the data and keeping the breach quiet. In effect hiding the data breach from the regulators and all affected customers.

This hidden data breach by the ride-sharing firm included vast quantities of personal data from driver and customer accounts globally: names, email addresses as well as mobile phone numbers. Including the data of approximately 2.7 million user accounts in the UK.

It took a year, but in November 2017, Uber came forward with some details of the breach and admitted their mistake of not disclosing the breach at the time of discovery.

The fine

The UK Information Commissioner’s Office (ICO) has now fined Uber £385,000 for failing to protect UK customers’ information. The ICO found that the cyberattack resulted in approximately 2.7 million UK customers’ personal data getting accessed and downloaded by attackers from a cloud-based storage system run by Uber’s US parent company.  Additionally, the records relating to journeys and payments made of about 82,000 UK drivers were stolen in the 2016 attack.

Steve Eckersley, ICO Director of Investigations, said:

“This was not only a serious failure of data security on Uber’s part but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

The data protection authority for the Netherlands has also issued a fine of 600,000 euros (£532,000) to Uber for the same breach, as it also affected 174,000 Dutch customers.

Mr Eckersley said:

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.”

According to the ICO, the security flaws that enabled the personal information to be accessed by the attackers were avoidable and the way in which Uber handled the breach was unacceptable.

Uber has already paid a  huge fee to settle legal action brought by drivers, customers and states in the US earlier this year to resolve the matter.

ICO: