This information has been prepared by IG, a trading name of IG Markets Limited. In addition to the disclaimer below, the material on this page does not contain a record of our trading prices, or an offer of, or solicitation for, a transaction in any financial instrument. IG accepts no responsibility for any use that may be made of these comments and for any consequences that result. No representation or warranty is given as to the accuracy or completeness of this information. Consequently any person acting on it does so entirely at their own risk. Any research provided does not have regard to the specific investment objectives, financial situation and needs of any specific person who may receive it. It has not been prepared in accordance with legal requirements designed to promote the independence of investment research and as such is considered to be a marketing communication. Although we are not specifically constrained from dealing ahead of our recommendations we do not seek to take advantage of them before they are provided to our clients. See full non-independent research disclaimer and quarterly summary.
Uber has landed in hot water with British and Dutch data protection regulators over a massive data breach that saw customers and drivers’ personal information leaked only months after US state authorities fined the company a record $148 million for the same infraction.
The UK’s Information Commissioner’s Office (ICO) announced that it is finding Uber £385,000 for ‘failing to protect customers’ personal information during a cyber-attack’.
According to the ICO, the ridesharing company had a series of ‘avoidable data security flaws’ that led to around 2.7 million UK customers and 82,000 drivers' personal information to be accessed and downloaded by hackers from a cloud-based storage system operated by Uber’s parent company.
‘This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,’ ICO Director of Investigations Steve Eckersley said.
‘At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,’ he added.
Uber tried to cover up data breach
At the same time, Uber came under fire from Dutch data protection authorities who have issued a fine of €600,000 (£532,000) for not reporting its information breach to the regulator within 72 hours after the leak was discovered.
To make matters worse, Uber first realised that it had been hacked back in December 2016 but rather than notifying customers, drivers and regulators about the breach, it opted to pay the hackers $100,000 to cover up the leak.
US states $148 million settlement
Back in September, Uber agreed to pay $148 million to 50 US states and the District of Columbia over the same data breach that saw British and Dutch authorities levy heavy fines against the company.
As part of the settlement with US state authorities, Uber must ‘adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behaviour, and hire an independent third party to assess its data security practices’.