Home / News & Resources / News & Updates / Uber fined £385,000 for data breach

Uber fined £385,000 for data breach

Posted onNovember 29, 2018

Uber has been fined £385,000 by the Information Commissioner's Office (ICO) after a hack at the company resulted in the theft of personal information of almost three million users and 82,000 drivers in the UK.

The data protection regulator has criticised the company for its failure to alert these victims about the hack.

What happened in this case?

In November 2016, hackers managed to access Uber's cloud servers and downloaded a number of files. This included the records of 35 million users and 3.7 million drivers worldwide. Passengers' full names, phone numbers, and email addresses were all accessed.

Instead of reporting it, Uber hid evidence of the theft and paid a ransom to ensure the data wouldn't be misused.

What was the result of the investigation?

Following an investigation into the breach, the ICO has said that a series of avoidable data security flaws allowed the personal details to be put at risk. The ICO also found that the situation was made worse by Uber US's decision to not disclose the attack. None of the people whose personal data was compromised was notified of the breach at the time, and the company only began monitoring accounts for fraud 12 months later.

ICO Director of Investigations Steve Eckersley said: "This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."

While it is only right that Uber has been fined for the breach, there is less good news for any customers who were hoping to seek compensation.

Uber's European branches were also not informed about the hack, and there was no legal duty to report data breaches under the old legislation. However, the ICO has said that paying the attackers and then keeping quiet about it was not an appropriate response to the cyber-attack.

The 2016 breach occurred under previous data protection legislation which has a maximum financial penalty of £500,000. Under the GDPR, the potential fine would be much higher.

If you have been the victim of a data breach then you can contact us about your case today

Get in touch

Great people!

Meet the team

In the newsRead more news

Common Causes of Data Breaches

PostedMarch 7, 2024

Data breaches are a common occurrence across a wide range of industries. Countless organisations have been caught out, particularly in recent years, leading to the exposure of highly sensitive personal...

What To Do If Your Bank Account Is Hacked?

PostedJanuary 30, 2024

Having your bank account hacked is one of the scariest and most devastating types of crime you can experience. It can cause immediate financial difficulties and long-term harm to your...

To speak to one of our experts please call 0330 041 5134 or fill out our form to make a claim.

Get in touch

Call us about your claim
- - - 0151 363 5895
Make a claim

Find out how our experts can help you with your claim
Make a claim