Uber fined £385,000 for 2016 data hack
The Information Commissioner’s Office (ICO) said a series of avoidable security flaws allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers including full names, email addresses and phone numbers.
The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.
The ICO investigation found ‘credential stuffing’, a process by which compromised username and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber’s data storage.
Customers and drivers were not told about the hack for more than a year. Instead, Uber paid the attackers responsible $100,000 to destroy the data they had downloaded.
The attack came to light when an announcement, made by the company itself, was reported in November 2017.
ICO director of investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.
“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”