Uber Fined By Regulators For Hiding Data Breach

A data breach cover-up by taxi hailing giant Uber has cost the firm even more money after stiff fines by two European regulators.

The British and Dutch data protection regulators concluded their investigations and slapped the firm with fines totalling over a $1 million.

It comes after Uber admitted in September that it also would pay $148m (£113m) in order to settle legal action over the cyber-attack in October 2016, which exposed data from 58 million customers and drivers.

European fines

It is understood that no financial details or journey records were taken by the hacker, who was paid $100,000 to delete the files, but some personal information was stolen and there were no guarantees the data was actually destroyed.

Uber reportedly used its so-called “bug bounty” program (normally used to identify small code vulnerabilities), to pay off the hacker (said to be an unidentified 20-year-old man in Florida).

Uber came clean about the incident in November 2017, after new CEO Dara Khosrowshahi said he only became aware of the breach recently. Khosrowshahi had only joined the company earlier in 2017 and said the company was working with the authorities.

Read More: What on Earth was Uber thinking?

But the admission prompted an investigation by European authorities and the Information Commissioner’s Office (ICO) fined the company 385,000 pounds ($490,760), while the Dutch Data Protection Authority (DPA) slapped Uber with a 600,000 euro ($678,780) fine.

“The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016,” the ICO said in its ruling.

“A series of avoidable data security flaws allowed the personal details of around 2.7million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company,” it added. “This included full names, email addresses and phone numbers.”

“However, the customers and drivers affected were not told about the incident for more than a year,” it said. “Instead, Uber paid the attackers responsible $100,000 to destroy the data they had downloaded.”

Complete disregard

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” said ICO Director of Investigations Steve Eckersley.

“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” he added. “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.”

“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected,” he added.

Can you protect your privacy online? Take our quiz!

Read also : The Value of Data
Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

8 hours ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

12 hours ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

13 hours ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

1 day ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

1 day ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

1 day ago