Like Facebook, Uber has escaped a potentially much higher fine for data protection failings because the 2016 breach that affected millions of UK customers is not covered by the GDPR
The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack.
The fine comes just two months after Uber agreed to a $148m settlement agreement in a case in the US brought by 50 US states and the District of Columbia over Uber’s attempt to cover up the data breach in 2016, which only came to light in 2017 when it emerged that 600,000 US drivers and 57 million user accounts had been affected.
An ICO investigation found that a series of avoidable data security flaws allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. This included full names, email addresses and phone numbers.
The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.
The ICO investigation found that credential stuffing, a process by which compromised username and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber’s data storage.
However, the customers and drivers affected were not told about the incident for more than a year, when it emerged that Uber had paid the cyber attackers $100,000 through its bug bounty programme to delete the stolen data and keep quiet about the breach.
ICO director of investigations, Steve Eckersley, said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen.
