Uber has been whacked with fines of more than £900,000 by UK and Dutch regulators for showing “complete disregard” for the personal information of both customers and drivers following a 2016 hack attack which the company covered up for over a year.
The Information Commissioner’s Office, which issued a £385,000 penalty to the ride-sharing company, said “avoidable data security flaws” had allowed the personal details of around 2.7 million UK customers to be accessed.
The data – including full names, email addresses and phone numbers – had been downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company.
The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.
In the Netherlands, where 174,000 citizens were affected by the worldwide incident, Uber was fined €600,000 (£532,000) by the Dutch data protection authority.
Details of the 2016 hack, which affected 57 million Uber users worldwide and around 6 million drivers, were first disclosed last year when it also emerged that the company had paid the hackers $100,000 to delete the data rather than notifying the victims.
The ICO said the hackers used a process known as “credential stuffing”, in which compromised username and password pairs are entered into websites until they are matched to an existing account, to gain access to Uber’s data storage.
The regulator said the incident had the potential to expose customers and drivers affected to increased risk of fraud.
ICO director of investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen.
“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable. Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.
“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”