Uber fined by UK and Dutch regulators over data breach

Uber has landed in hot water with British and Dutch data protection regulators over a massive data breach that saw customers and drivers’ personal information leaked only months after US state authorities fined the company a record $148 million for the same infraction.

Uber
Source: Bloomberg

Uber has landed in hot water with British and Dutch data protection regulators over a massive data breach that saw customers and drivers’ personal information leaked only months after US state authorities fined the company a record $148 million for the same infraction.

The UK’s Information Commissioner’s Office (ICO) announced that it is finding Uber £385,000 for ‘failing to protect customers’ personal information during a cyber-attack’.

According to the ICO, the ridesharing company had a series of ‘avoidable data security flaws’ that led to around 2.7 million UK customers and 82,000 drivers' personal information to be accessed and downloaded by hackers from a cloud-based storage system operated by Uber’s parent company.

‘This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,’ ICO Director of Investigations Steve Eckersley said.

‘At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,’ he added.

Uber tried to cover up data breach

At the same time, Uber came under fire from Dutch data protection authorities who have issued a fine of €600,000 (£532,000) for not reporting its information breach to the regulator within 72 hours after the leak was discovered.

To make matters worse, Uber first realised that it had been hacked back in December 2016 but rather than notifying customers, drivers and regulators about the breach, it opted to pay the hackers $100,000 to cover up the leak.

US states $148 million settlement

Back in September, Uber agreed to pay $148 million to 50 US states and the District of Columbia over the same data breach that saw British and Dutch authorities levy heavy fines against the company.

As part of the settlement with US state authorities, Uber must ‘adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behaviour, and hire an independent third party to assess its data security practices’.

IGA, may distribute information/research produced by its respective foreign marketing partners within the IG Group of companies pursuant to an arrangement under Regulation 32C of the Financial Advisers Regulations. Where the research is distributed in Singapore to a person who is not an Accredited Investor, Expert Investor or an Institutional Investor, IGA accepts legal responsibility for the contents of the report to such persons only to the extent required by law. Singapore recipients should contact IGA at 6390 5118 for matters arising from, or in connection with the information distributed.

This information/research prepared by IGA or IG Group is intended for general circulation. It does not take into account the specific investment objectives, financial situation or particular needs of any particular person. You should take into account your specific investment objectives, financial situation or particular needs before making a commitment to trade, including seeking advice from an independent financial adviser regarding the suitability of the investment, under a separate engagement, as you deem fit. No representation or warranty is given as to the accuracy or completeness of this information. Consequently any person acting on it does so entirely at their own risk. In addition to the disclaimer above, the information does not contain a record of our trading prices, or an offer of, or solicitation for, a transaction in any financial instrument. Any views and opinions expressed may be changed without an update.

See important Research Disclaimer.

Find articles by writer