British and Dutch watchdogs hit Uber with more than $1 million in fines Tuesday in response to a massive 2016 cyberattack in which the personal data of more than 57 million users was stolen.
But the penalties for the ride-hailing app — which was criticized by regulators for paying off the hackers and keeping the breach secret from customers — could have been even more severe.
Under new EU data protection rules introduced in May, regulators could have imposed a fine of up to 4 percent of the tech giant’s global turnover. The 2016 breach, which affected 57 million passengers and drivers globally, was not eligible for the higher penalties because it predated the new rules.
Instead, Britain’s Information Commissioner’s Office (ICO) fined Uber 385,000 pounds ($490,760) while the Dutch Data Protection Authority leveled a 600,000 euro ($678,780) penalty over the breach in October and November 2016. The hackers used a technique called credential stuffing, in which compromised username and password pairings are entered into a website until they are matched to an existing account, to access the company’s cloud-based storage system.
The ICO said in a statement Tuesday that a series of “avoidable data security flaws” resulted in the leak of personal data of about 2.7 million Uber customers in Britain — including names, mobile phone numbers and email addresses — as well as records for about 82,000 drivers, including their journeys and how much they were paid.
Uber discovered the attack in December 2016, but instead of making it public, it paid the hackers $100,000 to destroy the stolen data, the company revealed last November.
“This was not only a serious failure of data security on Uber’s part but also a complete disregard for the customers and drivers whose personal information was stolen,” the ICO’s director of investigations, Steve Eckersley, said.
“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support… Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyberattack.”
The Dutch Data Protection Authority also took the delay in notifying customers into consideration in determining the penalty, noting that Uber “did not report the data breach to the Dutch DPA and the data subjects within 72 hours after the discovery of the breach.”
Uber struck a deal in September to pay a record $148 million to settle claims in the U.S. over the hack, in an agreement which also saw company undertake to ramp up its data protection practices. Uber’s chief security officer at the time, who paid the hackers to keep quiet and delete the info, was subsequently fired, along with a deputy.
The company said Tuesday that it had learned from its mistakes and was “pleased to close this chapter on the data incident from 2016.”
“As we shared with European authorities during their investigations, we've made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since,” it said in a statement.
Cover image: A photo illustration shows the Uber app on a mobile telephone in London, Britain November 10, 2017. (REUTERS/Simon Dawson/)