Oli Scarff/Getty Images
show image

ICO fines Uber £385k for 2016 breach cover-up, says company showed “complete disregard” for customer data

The UK’s data protection regulator has issued Uber with a £385,000 fine for failing to protect more than 2.5 million British customers’ data during a massive global hack in 2016.

The ride-hailing giant faced widespread criticism last year after revealing it had paid hackers $100,000 (£78,299) to delete the data in a bid to cover up the breach, which affected 52 million people worldwide.

Investigators at the Information Commissioner’s Office (ICO) found that “a series of avoidable data security flaws” enabled attackers to download customers names, email addresses and phone numbers through a cloud-based storage system.

The attackers used a common type of cyber attack known as credential stuffing – in which compromised username and password pairs are used to log into systems – to infiltrate Uber’s data storage system.

In addition to stealing 2.7 million British customers’ data, the hackers were also able to harvest details about the journeys and fees of almost 82,000 drivers based in the UK.

Uber was not mandated to report the breach to the ICO under the data protection legislation that existed in Europe at the time, but it was required to do so in the US. Yet the company only disclosed the breach after Dara Khosrowshahi took over from Travis Kalanick as chief executive last September. Khosrowshahi went public with the news shortly after firing the company’s chief security officer and his deputy in November last year.

Steve Eckersley, director of investigations at the Information Commissioner’s Office, said the incident reflected “not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

He added: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

The act of paying off hackers is strongly discouraged in the industry because it is impossible to ensure they will keep to their word and helps to sustain the cyber crime economy.

Andrew Lloyd, the president of Corero Networks, noted that while the fine was towards the upper end of the scale of fines permitted under previous data protection legislation, Uber could have been fined much more under the EU’s new General Data Protection Regulation.

“Clearly, if a similar incident was to occur again, the ICO could impose a much larger penalty now that GDPR and, for those covered by it, the NIS Regulations are in force,” he said. Under the regulation, the ICO can fine firms £17m or up to four per cent of their annual global turnover. “That level of penalty should act as a wake-up call to all organisations,” Lloyd added.

A spokesperson for Uber said: “We’re pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since.

“We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer.”