The UK Information Commissioners Office (ICO) and the Dutch Data Protection Authority (Dutch DPA) on Tuesday fined Uber £385,000 and €600,000, respectively, over a 2016 data breach that exposed the sensitive data of more than 57 million of its users worldwide.
According to UK officials, between October 13 and November 15, 2016, Uber’s four UK affiliates (Uber London Limited, Uber Britannia Limited, Uber Scot Limited, Uber NIR Limited) along with Uber US, which serves as the data processor for these affiliates, were subject to an external cyber attack. The attackers obtained the credentials for a Uber US service account maintained through Amazon web services simple storage service and informed Uber US of their access. Approximately 2.7 UK riders’ and 82,000 drivers’ data, which included phone numbers, email addresses, passwords, driver’s license information and in some instances sign-up location data for riders, were exposed.
Dutch authorities said approximately 174,000 Dutch citizens data were exposed in the breach, which Uber did not report to them within 72 hours as required by Dutch data protection laws. They also said that rider and driver data, including names, mobile phone numbers and email addresses, were exposed.
The authorities could not levy the much higher fines now in place under the EU’s General Data Protection Regulation (GDPR), because the data breach took place before the regulation was enacted in May.
Uber allegedly paid the hacker $100,000 to keep quiet about the breach and destroy the data he uncovered.