Home / News & Resources / News & Updates / Uber fined £385,000 for data breach

Uber fined £385,000 for data breach

  • Posted on

Uber has been fined £385,000 by the Information Commissioner's Office (ICO) after a hack at the company resulted in the theft of personal information of almost three million users and 82,000 drivers in the UK.

The data protection regulator has criticised the company for its failure to alert these victims about the hack.

What happened in this case?

In November 2016, hackers managed to access Uber's cloud servers and downloaded a number of files. This included the records of 35 million users and 3.7 million drivers worldwide. Passengers' full names, phone numbers, and email addresses were all accessed.

Instead of reporting it, Uber hid evidence of the theft and paid a ransom to ensure the data wouldn't be misused.

What was the result of the investigation?

Following an investigation into the breach, the ICO has said that a series of avoidable data security flaws allowed the personal details to be put at risk. The ICO also found that the situation was made worse by Uber US's decision to not disclose the attack. None of the people whose personal data was compromised was notified of the breach at the time, and the company only began monitoring accounts for fraud 12 months later.

ICO Director of Investigations Steve Eckersley said: "This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."

While it is only right that Uber has been fined for the breach, there is less good news for any customers who were hoping to seek compensation.

Uber's European branches were also not informed about the hack, and there was no legal duty to report data breaches under the old legislation. However, the ICO has said that paying the attackers and then keeping quiet about it was not an appropriate response to the cyber-attack.

The 2016 breach occurred under previous data protection legislation which has a maximum financial penalty of £500,000. Under the GDPR, the potential fine would be much higher.

If you have been the victim of a data breach then you can contact us about your case today