The Information Commissioner's Office (ICO) has fined ride-hailing app Uber £385,000 following a 2016 data breach that exposed the personal details of millions of customers in the UK.
More than 2.7 million users in the UK, along with 82,000 drivers, were affected by the incident, which saw hackers gain access to databases containing information such as full names, email addresses, phone numbers and records of journeys taken.
The ICO said this was the result of "a series of avoidable data security flaws" and had the potential to expose the victims to an increased risk of fraud.
Its investigation revealed that the hackers gained access to Uber's database through a process called credential stuffing. This involves injecting already-compromised username and password combinations into websites until they are matched with an existing account.
Uber was also criticised by the regulator for its response to the breach. Instead of notifying the individuals affected, the company paid the hackers $100,000 (£78,200) to destroy the stolen data and failed to inform users about the breach for more than a year.
Director of investigations at the ICO Steve Eckersley said: "This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."
Mr Eckersley noted that although under the previous laws that were in force at the time of the breach, Uber had no legal obligation to report data breaches, its actions were "not … an appropriate response" to the attack.
The outcome may have been very different had the incident taken place after May this year, when the new GDPR rules came into force. As well as adding a requirement for firms to report data breaches within 48 hours of discovery, the rules also greatly increase the potential fines for incidents found to have been avoidable.
Chun Wong, partner at law firm Hodge Jones and Allen, told the Daily Telegraph: "Uber will consider themselves fortunate that higher fines brought in in May this year were not in force. The fine of £385,000 seems a small price to pay and will be of little comfort to those affected."
However, despite this, Uber has still paid a heavy price for the incident in the US, where it has already agreed to a £148 million payment to settle federal charges brought over the breach.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.