Uber Pays £113m To Settle Hidden Data Breach

A data breach cover-up by taxi hailing giant Uber has cost the firm a huge amount of money in the United States.

Uber is to pay $148m (£113m) in order to settle legal action over the cyber-attack in October 2016, which exposed data from 58 million customers and drivers.

No financial details or journey records were taken by the hacker, who was paid $100,000 to delete the files, but some personal information was stolen and there are no guarantees the data was indeed destroyed.

Settlement money

Uber reportedly used its so-called “bug bounty” program (normally used to identify small code vulnerabilities), to pay off the hacker (said to be an unidentified 20-year-old man in Florida).

Uber came clean about the incident in November 2017, after new CEO Dara Khosrowshahi said he only became aware of the breach recently. Khosrowshahi had only joined the company earlier in 2017 and said the company was working with the authorities.

On this side of the pond, the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) are investigating the matter.

Read More: What on Earth was Uber thinking?

But in the United States, Uber had been facing legal action from the US government and 50 states over its failure to disclose details of the data loss, and hiding the breach from regulators.

The $148m payment should settle this legal action, but separate legal action from drivers, customers and the cities of Los Angeles and Chicago over the breach are still ongoing.

Meanwhile Uber has also pledged to change how it operates and is now also required to submit regular reports on security incidents to regulators.

European fines?

Whilst this settlement should resolve most (but not all) of the legal action Uber is facing in the United States, the question remains as to what financial penalties it will face from non-US regulators.

It is known that deliberately concealing breaches from regulators and citizens can attract higher fines for companies.

Had the incident taken place after the EU’s General Data Protection Regulations (GDPR) came into force this year, the penalties could be more severe.

The GDPR replaces the Data Protection Act (DPA) 1998, and it vastly increases the power of European data protection authorities to impose fines, with organisations facing penalties of up to 20 million euros, or 4 percent of their annual worldwide turnover, whichever is greater.

But because the breach took place under the old DPA regulations, the Information Commissioners Office in the UK for example can only impose fines of up to £500,000.

Quiz: What do you know about Uber?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

10 hours ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

14 hours ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

15 hours ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

1 day ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

1 day ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

1 day ago