DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UK’s ICO fines Uber £385,000 over data protection failings

Posted on November 27, 2018 by Dissent

The monetary penalties levied against ride-sharing giant Uber for covering up a 2016 breach continue to mount. From the ICO’s office:

The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack.

A series of avoidable data security flaws allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. This included full names, email addresses and phone numbers.

The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.

The ICO investigation found ‘credential stuffing’, a process by which compromised username and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber’s data storage.

However, the customers and drivers affected were not told about the incident for more than a year. Instead, Uber paid the attackers responsible $100,000 to destroy the data they had downloaded.

ICO Director of Investigations Steve Eckersley said:

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

The incident, a serious breach of principle seven of the Data Protection Act 1998, had the potential to expose the customers and drivers affected to increased risk of fraud. It came to light when an announcement, made by the company itself, was reported by the media in November 2017.

Mr Eckersley added:

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.

“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

The data protection authority for the Netherlands, the Autoriteit Persoonsgegevens, has also issued a fine to Uber today under its own pre-GDPR legislation. The Dutch regulator was the lead member of an international task force which included the ICO and which co-operated in investigating the effects of the incident in their respective jurisdictions.

Source: Information Commissioner’s Office

So the UK has fined Uber 385,000 pounds ($490,760),  the Dutch Data Protection Authority  imposed a 600,000 euro ($678,780) fine, and let’s not forget that Uber recently settled with 50 U.S. state attorneys general and the District of Columbia to the tune of $148 million. Uber’s decision to pay extortion and not to disclose the breach was a costly decision, it seems.

Category: Business SectorHackNon-U.S.Of Note

Post navigation

← Mercy Medical Center – North Iowa notifies 1,900 patients after insider wrong-doing discovered
Private data of users of PratenOnline.nl stolen and held for ransom? →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
  • Liberty Township in Ohio has recovered its network after a ransomware attack
  • Marquette County Medical Care Facility discloses data breach
  • Industry Letter – June 23, 2025: Impact to Financial Sector of Ongoing Global Conflicts
  • MNGI Digestive Health settles class action lawsuit stemming from BlackCat attack
  • Four REvil ransomware members released after time served on carding charges
  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.