Uber’s widely publicized data leak from two years ago has finally resulted in a fine from the UK Information Commissioner’s Office. The penalty would have been 203 times the amount if the leak had occurred this year, after the GDPR era took effect in May.
“The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack,” reads the announcement. In US dollars, that figure translates into around $492,000.
As readers may remember, a series of flaws in Uber’s servers let hackers steal personal data of 2.7 million UK customers, as well as the records of almost 82,000 British drivers. The leak exposed full names, email addresses, phone numbers, journey info and even payment data. An investigation revealed that attackers used “credential stuffing” to access the data. As its name implies, the process involves “stuffing” credentials (leaked from a previous breach) into websites until they match existing accounts.
The ICO isn’t upset about the breach itself so much as it’s upset over Uber’s poor judgement in secretly paying the attackers money to have the data destroyed, a decision that made the case so controversial. Furthermore, those affected by the breach were not told about the incident until after a full year had passed. Whenever a company is breached, rapid disclosure is imperative so customers can take steps to protect themselves against fraud.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” said ICO Director of Investigations Steve Eckersley.
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected,” Eckersley added.
The Netherlands has also fined Uber €600,000 through its local data protection authority, Autoriteit Persoonsgegevens.
Under the new General Data Protection Regulation, this blunder would have landed Uber a fine in the vicinity of 100 million US dollars (around £78 million) calculated at 4% of its last annual turnover of $2.7 billion. But because the breach occurred in the pre-GDPR era, the ICO has fined Uber close to the maximum penalty under the then-applicable 1996 Data Protection Act (DPA).
The ICO did the same last month when it fined Facebook the measly sum of £500,000 for the immensely controversial Cambridge Analytica scandal that was said to have helped Russia interfere with US elections. And a month earlier, the same fine was issued to Equifax for its monumental 2017 breach that resulted in exposure of 147 million customer records, the firing of two company executives overnight, and the sullying of its image beyond repair.