Uber Pays £113m To Settle Hidden Data Breach

A data breach cover-up by taxi hailing giant Uber has cost the firm a huge amount of money in the United States.

Uber is to pay $148m (£113m) in order to settle legal action over the cyber-attack in October 2016, which exposed data from 58 million customers and drivers.

No financial details or journey records were taken by the hacker, who was paid $100,000 to delete the files, but some personal information was stolen and there are no guarantees the data was indeed destroyed.

Settlement money

Uber reportedly used its so-called “bug bounty” program (normally used to identify small code vulnerabilities), to pay off the hacker (said to be an unidentified 20-year-old man in Florida).

Uber came clean about the incident in November 2017, after new CEO Dara Khosrowshahi said he only became aware of the breach recently. Khosrowshahi had only joined the company earlier in 2017 and said the company was working with the authorities.

On this side of the pond, the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) are investigating the matter.

Read More: What on Earth was Uber thinking?

But in the United States, Uber had been facing legal action from the US government and 50 states over its failure to disclose details of the data loss, and hiding the breach from regulators.

The $148m payment should settle this legal action, but separate legal action from drivers, customers and the cities of Los Angeles and Chicago over the breach are still ongoing.

Meanwhile Uber has also pledged to change how it operates and is now also required to submit regular reports on security incidents to regulators.

European fines?

Whilst this settlement should resolve most (but not all) of the legal action Uber is facing in the United States, the question remains as to what financial penalties it will face from non-US regulators.

It is known that deliberately concealing breaches from regulators and citizens can attract higher fines for companies.

Had the incident taken place after the EU’s General Data Protection Regulations (GDPR) came into force this year, the penalties could be more severe.

The GDPR replaces the Data Protection Act (DPA) 1998, and it vastly increases the power of European data protection authorities to impose fines, with organisations facing penalties of up to 20 million euros, or 4 percent of their annual worldwide turnover, whichever is greater.

But because the breach took place under the old DPA regulations, the Information Commissioners Office in the UK for example can only impose fines of up to £500,000.

Quiz: What do you know about Uber?