The ICO (Information Commissioner’s Office) has fined Uber £385,000 for a data breach affecting 35 million people, including 2.7 million British customers.
In November 2016, attackers accessed Uber’s Cloud servers, which contained passengers’ names, phone numbers, email addresses and the location where they had signed up.
The crooks also accessed the personal data of 3.7 million drivers, including 82,000 from the UK. Their weekly pay, trip summaries and, in some cases, driving licence numbers, were compromised.
Meanwhile, the Dutch Data Protection Authority fined Uber €600,000 (£530,000) under its own pre-GDPR legislation.
Steve Eckersley, the ICO’s director of investigations, said the incident displayed “not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen”.
The issue was compounded by Uber US’s decision not to disclose the attack. Instead, it agreed to pay the crooks $100,000 (£78,000) as a “bug bounty”.
Bug bounties are common in the cyber security industry, with organisations offering financial rewards to researchers who find and notify them of system weaknesses.
However, if the organisation suspects that sensitive information has been compromised, it is obliged to disclose the incident. Uber didn’t do that until a year later, when Bloomberg revealed the cover-up.
At the time of the breach, Uber was under investigation for separate claims of privacy violations, which probably affected its decision-making. But these are not the only controversies it has been involved in. Since it was founded in 2009, Uber has faced four other criminal probes, which have looked into possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property.
Uber also faces dozens of civil lawsuits, with London among several cities to have taken steps to ban its service.
In September 2018, the organisation agreed to pay a record $148 million (£116 million) to settle claims with all 50 US states and the District of Columbia regarding the cover-up. According to a press release from California Attorney General Xavier Becerra and San Francisco District Attorney George Gascon, the settlement “includes additional terms to prevent future breaches and to reform Uber’s corporate culture”.
Because the incident occurred before the EU’s GDPR (General Data Protection Regulation) took effect, Uber escaped a much larger penalty. The ICO based its decision around the requirements of the GDPR’s predecessor, the Data Protection Act 1998, in which the maximum penalty was £500,000.
So why didn’t Uber receive the biggest possible fine? There are three reasons. First, Uber’s European branches weren’t informed of the breach, meaning those who were responsible for disclosing the incident had no knowledge of it. Second, the ICO investigation revealed that there was little evidence that the compromised data was misused.
Finally, Uber was quick to make widespread changes once its security failings had been made public. Dara Khosrowshahi took over as the organisation’s CEO in September 2017 and insisted that “we are changing the way we do business”.
That has so far proven to be true, with the organisation confirming that it had made “a number of technical improvements to the security of [its] systems both in the immediate wake of the incident as well as in the years since”.
Some, if not most, of those changes were likely mandated by data protection authorities, but willingness to improve information security is still enough to mitigate financial penalties.
How will you respond to a data breach?
A recent Ponemon Institute survey found that one in four organisations will fall victim to a data breach within the next two years. This means there’s a good chance you could suffer a similar fate to Uber. But will you be able to manage the process effectively or face harsh penalties that could have long-term effects?
Find out the best way to respond when disaster strikes by reading our free data breach survival guide. You’ll discover:
- The key questions the ICO will ask when you report a data breach;
- How to undertake effective data breach response management;
- The types of precautionary measures you need to implement to reduce the effects of a breach; and
- The six key steps you can take to ensure you meet the GDPR’s compliance requirements