Technology

Uber fined $1.17 million by U.K., Dutch authorities for 2016 breach

The company could be getting fined a lot more if its breach was subject to GDPR.

November 27, 2018

(Flickr / <a href="https://www.flickr.com/photos/132115055@N04/26094517575">Núcleo Editorial</a>)

Ridehailing company Uber drew fines totaling $1.17 million from British and Dutch authorities on Tuesday for its handling of a 2016 data breach that exposed the personal information of roughly 57 million passengers and drivers.

The breach occurred in October 2016, revealing names, email addresses, phone numbers and driver’s license numbers belonging to many users. Uber paid hackers $100,000 to keep quiet and destroy the stolen data. Customers were first notified when the company’s new CEO announced the incident a year later.

The United Kingdom’s Information Commissioner’s Office, in issuing a fine of £385,000 ($491,284) on Tuesday, said that a “series of avoidable data security flaws” led to the exposure of personal data of 2.7 million riders and 82,000 drivers in the country. The Dutch Data Protection Authority also issued a fine of €600,000 ($679,257) on Tuesday, saying that the breach affected 174,000 Dutch citizens and that Uber violated the country’s regulations by not notifying users or the Dutch DPA within 72 hours of discovery.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” said Steve Eckersley, the ICO’s director of investigations, in a statement. “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.”

In September in the U.S., Uber also agreed to pay $148 million across the 50 states and Washington, D.C. That penalty was the largest among attorneys general settlements in privacy cases, Reuters reported.

Both fines announced Tuesday stem from regulations that predate Europe’s General Data Protection Regulation (GDPR), which went into effect in May. Had Uber’s incident been subject to GDPR, the company likely have to pay a lot more. The new regulations carry fines of up to 4 percent of a company’s annual revenue or €20 million, whichever is greater, for companies that violate the data protection rules.

Uber fined $1.17 million by U.K., Dutch authorities for 2016 breach

More Like This

House hurtles toward showdown over expiring surveillance tools

Civil society groups press platforms to step up election integrity work

Atlassian vulnerability at fault in GAO breach

Top Stories

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility

‘Large volume’ of data stolen from UN agency after ransomware attack

More Scoops

Britain’s data watchdog fines TikTok $15.9 million for alleged misuse of children’s data

FTC settlement requires CafePress owners to pay $500,000 to victims of 2019 data breach

Ireland slaps Facebook with $19M fine over 2018 data breaches

Norway fines Grindr for $7.3 million over privacy breach

UK threatens Clearview AI with nearly $23M fine over its facial recognition tech

T-Mobile confirms breach exposed sensitive data of more than 40 million people

Grindr faces fine of nearly $12 million in Norway for alleged privacy violations

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics