UK and Dutch data protection bodies fine Uber for breaches

Global ridesharing giant Uber has been hit with fines from both UK and Dutch data protection authorities after attackers gained access to the personal information of around 50 million users worldwide.

The UK’s Information Commissioner’s Office [ICO] issued Uber with a £385,000 (€435,000) fine on Tuesday (27 November) for failing to protect customer data after the personal information of around 2.7 million UK users was unlawfully accessed.

Also on Tuesday, the Dutch Data Protection Authority (DPA) served the firm with €600,000 in sanctions for breaches which affected 174,000 people in the country.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” ICO Director of Investigations Steve Eckersley said in a statement on Tuesday (27 November).

“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

Data garnered from attacks, which took place across October and November 2016, included information ranging from names, email addresses and phone numbers of those on Uber’s books, as well as journey details and costings on individual trips.

Uber ‘pay-off’ to cybercriminals

UK residents affected by the attacks were not informed about the incident for more than a year. In the meantime, Uber paid attackers $100,000 (€90,000) to delete the retrieved information.

EURACTIV has recently reported that a September study by Europol revealed that ‘pay-offs’ such as these may not be as uncommon as would first seem.

Europol’s research deduces that companies may try to bypass fines for data protection breaches by negotiating with cybercriminals.

Companies may try to bypass GDPR fines by negotiating with cybercriminals, Europol say

Europol, the EU’s policing agency, released a report on Tuesday (18 September) in which they warned that EU data protection laws may lead to an increase in cyber-extortion.

Lucky escape from GDPR fines

Uber’s UK fine was issued under the Data Protection Act 1998, and not the more well-known General Data Protection Regulation, adopted in May this year.

Fines for violations of European privacy regulation under GDPR are much higher than those under the previous rules, and maximum fines of £17 million (€20 million) or 4% of global turnover can be issued.

The sanctions levied at Uber are the latest in a string of fines issued by the ICO, the most recent being the £500,000 (€565,000) fine for Facebook, which the tech firm has recently announced it is appealing.

Facebook hit with UK's maximum fine as EU officials praise privacy efforts

Senior EU officials extolled the successes of the bloc’s data protection regulations on Thursday (25 October), as Facebook was fined £500,000 for its part in the Cambridge Analytica scandal.

In September, Uber agreed a $148m (€168m) penalty settlement with 50 US states as well as the District of Columbia, to close the book on claims brought against it after details of the 2017 breach emerged.

Chapter closed

In response to Tuesday’s sanctions from UK and Dutch authorities, Uber said they were looking forward to putting this embarrassing episode behind them.

Following the violations, the company has created a number of new roles to bolster its cybersecurity clout, including a chief privacy officer, data protection officer, and a new chief trust and security officer.

“We’re pleased to close this chapter on the data incident from 2016,” an Uber spokesman said on Tuesday.

“We learn from our mistakes and continue our commitment to earn the trust of our users every day.”

Subscribe to our newsletters