Uber fined £385,000 over data protection failings, attempted cover-up
The UK data regulator announced on Tuesday it has fined Uber £385,000 over a series of data protection failures during cyber attacks in 2016.
The Information Commissioner’s Office investigated a series of "avoidable" data security flaws from Uber that allowed the personal details of around 2.7m UK customers, including full names, email addresses and phone numbers, to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company.
Personal data from almost 82,000 drivers based in the UK was also taken during the incident in October and November 2016.
The ICO investigation found ‘credential stuffing’ was used to access Uber’s data storage. This is a process in which compromised username and password pairs are injected into websites until they are matched to an existing account.
Uber customers that were affected were not told about the incident for more than a year, the ICO noted. Instead, the company tried to destroy the downloaded data by paying the attackers $100,000.
ICO director of investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.
“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected,” he added.