Uber Fined for Data Breach - and for Its Reaction to It

In the UK, the Information Commissioner's Office (ICO) has fined Uber £385,000 for failing to protect the personal information of around 2.7 million UK customers during a cyber attack in autumn 2016 - and for an inappropriate response to the attack once discovered.

The ICO said a series of 'avoidable data security flaws' allowed hackers to access and download the records - including full names, email addresses and phone numbers - from a cloud-based storage system operated by Uber's US parent company. In addition, some 82,000 drivers had details stolen including journeys made and how much they were paid.

Uber paid the attackers $100,000 to destroy the data, and failed to tell customers and drivers about the incident for more than a year, breaching principle seven of the Data Protection Act 1998. ICO Director of Investigations Steve Eckersley said: 'This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable'.

Eckersley that although there was no legal duty to report data breaches under the old legislation, 'Uber's poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected'.

The ride sharing firm has also been fined by Dutch data protection body the Autoriteit Persoonsgegevens, over the effects of the same incident in the Netherlands.

Both fines were issued under pre-GDPR rules which limit the size of penalties. Since 25th May this year, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17m (EUR 20m) or 4% of a firm's global turnover.

Web site: www.ico.org.uk .