Uber fined £385,000 over customer hack failings
Uber has been fined more than £900,000 by the UK and Dutch regulators over failings related to a hack in 2016 in which millions of customer details were stolen.
Britain's Information Commissioner's Office (ICO), which issued a £385,000 penalty to the ride-sharing company, said it had shown "complete disregard" for the customers as well as 82,000 drivers whose records were taken.
In the Netherlands, where 174,000 citizens were affected by the worldwide incident, Uber was fined €600,000 (£532,000) by the Dutch data protection authority.
Details of the hack, which affected 57 million Uber users worldwide, were first disclosed last year - when it also emerged that the company paid the hackers $100,000 to delete the data rather than notifying the victims.
The ICO said a series of "avoidable data security flaws" had allowed customers' personal details to be accessed and downloaded from a cloud-based storage system operated by Uber in the US.
They included full names, email addresses and phone numbers.
Driver details - including journeys made and how much they were paid - were also taken during the incident in October and November 2016.
The ICO said the hackers used a process known as "credential stuffing", in which compromised username and password pairs are entered into websites until they are matched to an existing account, to gain access to Uber's data storage.
The regulator said the incident had the potential to expose customers and drivers affected to an increased risk of fraud.
ICO director of investigations Steve Eckersley said: "This was not only a serious failure of data security on Uber's part but a complete disregard
for the customers and drivers whose personal information was stolen.
"At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.
"Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack."
The ICO penalty was issued under 1998 data protection legislation under which the maximum fine was £500,000. Under new laws that came into force this year, the regulator has the power to impose fines of up to £17m or 4% of global turnover on companies.
CSO ‘continues to explore’ plan to use phone data for tourism statistics