Uber has landed in hot water with British and Dutch data protection regulators over a massive data breach that saw customers and drivers’ personal information leaked only months after US state authorities fined the company a record $148 million for the same infraction.
The UK’s Information Commissioner’s Office (ICO) announced that it is finding Uber £385,000 for ‘failing to protect customers’ personal information during a cyber-attack’.
According to the ICO, the ridesharing company had a series of ‘avoidable data security flaws’ that led to around 2.7 million UK customers and 82,000 drivers' personal information to be accessed and downloaded by hackers from a cloud-based storage system operated by Uber’s parent company.
‘This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,’ ICO Director of Investigations Steve Eckersley said.
‘At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,’ he added.
Uber tried to cover up data breach
At the same time, Uber came under fire from Dutch data protection authorities who have issued a fine of €600,000 (£532,000) for not reporting its information breach to the regulator within 72 hours after the leak was discovered.
To make matters worse, Uber first realised that it had been hacked back in December 2016 but rather than notifying customers, drivers and regulators about the breach, it opted to pay the hackers $100,000 to cover up the leak.
US states $148 million settlement
Back in September, Uber agreed to pay $148 million to 50 US states and the District of Columbia over the same data breach that saw British and Dutch authorities levy heavy fines against the company.
As part of the settlement with US state authorities, Uber must ‘adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behaviour, and hire an independent third party to assess its data security practices’.