Ridehailing company Uber drew fines totaling $1.17 million from British and Dutch authorities on Tuesday for its handling of a 2016 data breach that exposed the personal information of roughly 57 million passengers and drivers.
The breach occurred in October 2016, revealing names, email addresses, phone numbers and driver’s license numbers belonging to many users. Uber paid hackers $100,000 to keep quiet and destroy the stolen data. Customers were first notified when the company’s new CEO announced the incident a year later.
The United Kingdom’s Information Commissioner’s Office, in issuing a fine of £385,000 ($491,284) on Tuesday, said that a “series of avoidable data security flaws” led to the exposure of personal data of 2.7 million riders and 82,000 drivers in the country. The Dutch Data Protection Authority also issued a fine of €600,000 ($679,257) on Tuesday, saying that the breach affected 174,000 Dutch citizens and that Uber violated the country’s regulations by not notifying users or the Dutch DPA within 72 hours of discovery.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” said Steve Eckersley, the ICO’s director of investigations, in a statement. “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.”
In September in the U.S., Uber also agreed to pay $148 million across the 50 states and Washington, D.C. That penalty was the largest among attorneys general settlements in privacy cases, Reuters reported.
Both fines announced Tuesday stem from regulations that predate Europe’s General Data Protection Regulation (GDPR), which went into effect in May. Had Uber’s incident been subject to GDPR, the company likely have to pay a lot more. The new regulations carry fines of up to 4 percent of a company’s annual revenue or €20 million, whichever is greater, for companies that violate the data protection rules.