Uber, the sometimes-controversial ridesharing taxi app, has been fined £385,000 by the Information Commissioner’s Office (ICO) for failing to adequately safeguard the personal data of 2.7 million UK customers during a 2016 cyber-attack.
The records of almost 82,000 UK Uber drivers were also taken through a process known as ‘credential stuffing’ whereby compromised username and password pairs are injected into websites until they are matched to an existing account.
Rather than let their customers and drivers know about the breach, Uber paid their attackers $100,000 to destroy the stolen data.
ICO Director of Investigations, Steve Eckersley, said:
Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.
Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.
It should be noted that the maximum penalty that could now be imposed under the present Data Protection Act 2018 would be £17million or 4% of global turnover.