[BreachExchange] Uber fined nearly $1.2 million by British and Dutch authorities for 2016 data breach

Destry Winant destry at riskbasedsecurity.com
Wed Nov 28 09:25:02 EST 2018


https://www.cnbc.com/2018/11/27/uber-fined-more-than-1-million-dollars-by-uk-and-dutch-authorities.html

Uber was fined a combined $1.17 million by British and Dutch
authorities Tuesday for a 2016 data breach that exposed the personal
details of millions of customers.

The U.K.'s Information Commissioner's Office (ICO) announced a
£385,000 fine ($491,284) against the ride-sharing company for "failing
to protect customers' personal information during a cyber attack" in
October and November of 2016. The Dutch Data Protection Authority
imposed its own €600,000 ($679,257) penalty for the same incident.

The 2016 cyberattack allowed hackers to access the personal details,
including full names, email addresses and phone numbers, of 2.7
million Uber customers in the U.K. and 174,000 in the Netherlands,
authorities said.

After hiding the incident for more than a year, Uber admitted last
November that hackers stole data from 57 million users and drivers
worldwide. The company also paid hackers $100,000 to delete the data
and conceal the breach.

"This was not only a serious failure of data security on Uber's part,
but a complete disregard for the customers and drivers whose personal
information was stolen," ICO Director of Investigations Steve
Eckersley said. "At the time, no steps were taken to inform anyone
affected by the breach, or to offer help and support. That left them
vulnerable."

The U.K.'s ICO said the cyberattack represented a "serious breach" of
the country's Data Protection Act of 1998 by exposing customers and
drivers to increased risk of fraud. The Dutch regulator said it was
fining Uber because it did not report the breach within the country's
mandated 72-hour window.

Because the cyberattack occurred in 2016, it was not subject to the
European Union's General Data Protection Regulation (GDPR) legislation
that went into effect in May. The new rules could increase penalties
for companies like Uber, with fines of up to 4 percent of global
annual revenues or €20 million, whichever is bigger.

In September, Uber agreed to pay $148 million to settle claims related
to the 2016 data breach to states across the U.S. and Washington, D.C.

In a statement Tuesday, an Uber spokesperson said the company is
"pleased to close this chapter on the data incident from 2016."

"We've made a number of technical improvements to the security of our
systems both in the immediate wake of the incident as well as in the
years since. We've also made significant changes in leadership to
ensure proper transparency with regulators and customers moving
forward," the statement said.


More information about the BreachExchange mailing list