Uber fined after 'serious breach' allows hackers to download 2.7 million customers' data

Uber has been fined £385,000 after “a series of avoidable data security flaws” allowed hackers to download personal information from 2.7 million customers.

The Information Commissioner’s Office (ICO) found Uber was guilty of a “serious breach” of UK data protection law and showed a “complete disregard” for the customers and drivers whose information was stolen.

Full names, email addresses and phone numbers were obtained during the October and November 2016 attack but Uber did not inform customers or drivers for more than a year. Instead it paid the attackers $100,000 (£78,000) to destroy the information they had downloaded.

The security breach potentially exposed users of Uber’s app to an increased risk of fraud, the ICO said in a ruling on Tuesday.

The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” said ICO director of investigations Steve Eckersley.

“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support.

“That left them vulnerable.”

The ICO investigation found “credential stuffing”, a process by which compromised username and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber’s data storage.

Dutch authorities also issued a fine to Uber on Tuesday after an international task force investigated the effects of the hack.

Mr Eckersley added: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyberattack.

Under the laws in place at the time, Uber had no duty to report data breaches, however, “poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected”, the ICO said.

New, stricter rules came into force in May this year, meaning any similar breach could attract a significantly larger penalty.

Companies found guilty of a breach of the General Data Protection Regulations are liable to fines of up to €20m (£17.8m) or 4 per cent of global turnover, which could amount to billions of euros for the largest technology companies.

Chun Wong, partner at Hodge Jones and Allen, a law firm which specialises in data breach cases, said: “Uber’s flagrant disregard with people’s data and then attempts to cover it up signifies one of the worst data breaches we have seen to date.”

The £385,000 fine was a “small price to pay” and will be of little comfort to those affected, Ms Wong said.

“Millions of people who had their data stolen will need to think twice now about using the services of a business that shows an apparent contempt for upholding the highest standards to safeguard personal data of their customers.”

The fine adds to a lengthening list of Uber’s clashes with regulators around the world and comes as the ride hailing firm battles drivers in UK courts over their employment status.

The company says its drivers are self-employed contractors and therefore not entitled to rights such as the national living wage.

Some drivers, backed by unions, claim that they should be legally classified as workers and given basic employment rights.

Chief executive Dara Khosrowshahi has been on a charm offensive to improve Uber’s image since he took over in the wake of a series of scandals under founder Travis Kalanick.

A spokesperson said Uber had improved its security since the 2016 attack, adding: “We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward.

“Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer. We learn from our mistakes and continue our commitment to earn the trust of our users every day.”