Uber fined £385,000 for data breach affecting 3m British users

Britains Information Commissioners Office has fined Ubers European business £385,000 for a data breach that affected almost 3m users in the UK, saying that “a series of avoidable data security flaws” were exploted by attackers.

The breach, which took place between October and November 2016, allowed hackers to access personal details for around 2.7m UK customers, including full names, email addresses and phone numbers, as well as detailed information on almost 82,000 Uber drivers like journeys taken and payments received.

Uber did not publicly disclose the attack for over a year, instead opting to pay the attackers responsible $100,000 (£78,500) to destroy the data they downloaded.  Steve Eckersley, director of investigations at ICO, said that this decision was not “an appropriate response to the cyber attack” and was “likely to have compounded the distress of those affected.”

“This was not only a serious failure of data security on Ubers part, but a complete disregard for the customers and drivers whose personal information was stolen,” said Eckersley. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

In September, Uber was fined $148m for failing to notify drivers in the US about the breach. At the time, Uber CEO Dara Khosrowshahi said that “none of this should have happened, and I will not make excuses for it”. Two security officials at the company have been let go since the breach occured, due to their handling of the incident.

“Uber are accused of not only a serious failure of data security, but utter disregard for customers and drivers whose information was stolen – the reprimand reflects this,”said John Mitchison, director of policy and compliance at the DMA. “Accountability and transparency are two of the core principles of GDPR, as well as our own DMA code of practice. It is now crucial for Uber to focus its effort on these two pillars and rebuild the trust our research shows is so vital to consumers willingness to share data.

“The ICO fine comes just a month after the US government ordered Uber to pay £113m to settle legal action over the worldwide data breach which impacted the data of 57m customers and drivers. However, we believe that fines are just one of the risks: the long-term effects on customer trust, share price and public perception could have longer-lasting impact on businesses.”